Credential Provider Chain Not Working
roygeorgeP opened this issue · comments
Describe the bug
I am trying to exercise the credential provider chain mechanism as documented here https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html
The code snippet is
SecretsManagerClient client = SecretsManagerClient.builder() .region(Region.US_EAST_1) .build();
or
S3Client s3client = S3Client.builder() .region(Region.US_EAST_1) .build();
I would expect it to pull from the credential chain as mentioned in the documentation.
So, when I run my mvn command
mvn package -DAWS_ACCESS_KEY_ID="XXX" -DAWS_SECRET_ACCESS_KEY="YYY" -DAWS_SESSION_TOKEN="ZZZ"
pom.zip
an error is thrown...
But when I explicitly provide the tokens in the code the test works.
AwsBasicCredentials credentials = AwsBasicCredentials.create(awsAccessKey, awSecret); StaticCredentialsProvider credentialsProvider = StaticCredentialsProvider.create(credentials); SecretsManagerClient client = SecretsManagerClient.builder() .credentialsProvider(credentialsProvider) .region(Region.US_EAST_1) .build();
Expected Behavior
I would expect it to pull from the credential chain as mentioned in the documentation.
Current Behavior
Exception thrown
Time elapsed: 0.112 s <<< ERROR!
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=RSD-DM-API-Consumer, profileFile=ProfileFile(profilesAndSectionsMap=[{tfppqa=Profile(name=tfppqa, properties=[output, region, aws_access_key_id, aws_secret_access_key]), etoeksnonprod=Profile(name=etoeksnonprod, properties=[output, region, aws_access_key_id, aws_secret_access_key]), RSD-DM-API-Consumer=Profile(name=RSD-DM-API-Consumer, properties=[output, region, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY]), tfsdsprod=Profile(name=tfsdsprod, properties=[aws_access_key_id, aws_secret_access_key])}, {}])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=RSD-DM-API-Consumer, profileFile=ProfileFile(profilesAndSectionsMap=[{tfppqa=Profile(name=tfppqa, properties=[output, region, aws_access_key_id, aws_secret_access_key]), etoeksnonprod=Profile(name=etoeksnonprod, properties=[output, region, aws_access_key_id, aws_secret_access_key]), RSD-DM-API-Consumer=Profile(name=RSD-DM-API-Consumer, properties=[output, region, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY]), tfsdsprod=Profile(name=tfsdsprod, properties=[aws_access_key_id, aws_secret_access_key])}, {}])): Profile file contained no credentials for profile 'RSD-DM-API-Consumer': ProfileFile(profilesAndSectionsMap=[{tfppqa=Profile(name=tfppqa, properties=[output, region, aws_access_key_id, aws_secret_access_key]), etoeksnonprod=Profile(name=etoeksnonprod, properties=[output, region, aws_access_key_id, aws_secret_access_key]), RSD-DM-API-Consumer=Profile(name=RSD-DM-API-Consumer, properties=[output, region, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY]), tfsdsprod=Profile(name=tfsdsprod, properties=[aws_access_key_id, aws_secret_access_key])}, {}]), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
Reproduction Steps
pom xml has been attached to show the sdk version I am using.
The code snippet is
SecretsManagerClient client = SecretsManagerClient.builder() .region(Region.US_EAST_1) .build();
or
S3Client s3client = S3Client.builder() .region(Region.US_EAST_1) .build();
Run mvn command
mvn package -DAWS_ACCESS_KEY_ID="XXX" -DAWS_SECRET_ACCESS_KEY="YYY" -DAWS_SESSION_TOKEN="ZZZ"
Possible Solution
No response
Additional Information/Context
No response
AWS Java SDK version used
2.20.43
JDK version used
11
Operating System and version
Windows 10
This issue belongs to https://github.com/aws/aws-sdk-java-v2
-D defines a system property. It looks to me like the credential resolution failure was because the properties you defined are not the same properties read by SystemPropertyCredentialsProvider.
Give this a try.
mvn package --Daws_access_key_id="XXX" -Daws_secret_access_key="YYY" -Daws_session_token="ZZZ"
I did an aws sts get-session-token --duration-seconds 129600
And I got a json
{
"Credentials": {
"AccessKeyId": "blah",
"SecretAccessKey": "blah",
"SessionToken": "blah",
"Expiration": "2024-01-10T08:33:42+00:00"
}
}
Then I tried using values from that in the mvn command below
mvn package -Daws_access_key_id=blah -Daws_secret_access_key=blah -Daws_session_token="blah"
And that does not work either.
Looking through the code it should have been
-Daws.accessKeyId=xxx-Daws.secretAccessKey="yyy"......
Thanks for pointing to the code itself.
COMMENT VISIBILITY WARNING
Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.