secret_access_key must be a string, but instead is [{:awscli, :system, 30}]

Question

secret_access_key must be a string, but instead is [{:awscli, :system, 30}]

andrejj opened this issue 2 years ago · comments

Environment

Elixir & Erlang versions (elixir --version): Elixir 1.14.2 (compiled with Erlang/OTP 24)
ExAws version mix deps | grep ex_aws

* ex_aws 2.4.1 (Hex package) (mix)
  locked at 2.4.1 (ex_aws) 803387db
* ex_aws_s3 2.3.3 (Hex package) (mix)
  locked at 2.3.3 (ex_aws_s3) 0044f0b6
* ex_aws_ssm 2.1.0 (Hex package) (mix)
  locked at 2.1.0 (ex_aws_ssm) a91a183d
* ex_aws_sts 2.3.0 (Hex package) (mix)
  locked at 2.3.0 (ex_aws_sts) f14e4c7d

HTTP client version. IE for hackney do mix deps | grep hackney

* hackney 1.18.1 (Hex package) (rebar3)
  locked at 1.18.1 (hackney) a4ecdaff

Current behavior

I'm trying to initialize the app by puling config parameters from SSM.
locally it works.
The problem is it doesn't work when I push the docker image to ECS.
When fetching data from SSM I get: "Required key: :secret_access_key must be a string, but instead is [{:awscli, :system, 30}]"

Config

config :ex_aws,
  secret_access_key: [{:awscli, :system, 30}],
  access_key_id: [{:awscli, :system, 30}],
  awscli_auth_adapter: ExAws.STS.AuthCache.AssumeRoleCredentialsAdapter

The docker_entrypoint script creates ~/.aws/config, before starting the application.

export AWS_PROFILE=role_spec
[profile role_spec]
  credential_source = Ec2InstanceMetadata
  role_arn = $AWS_ROLE_ARN

Expected behavior

I would expect the above file to initialize ex_aws correctly. I've seen it work with node's sdk.

Bernard Duggan · Answer 1 · Tue Jan 10 2023 13:16:08 GMT+0800 (China Standard Time)

secret_access_key: [{:awscli, :system, 30}],

I'm not sure what that :system is doing in there, but it should contain a profile name. In you case, it looks like it should be "role_spec".

Andrej Jančič · Answer 2 · Wed Jan 11 2023 18:22:47 GMT+0800 (China Standard Time)

@bernardd thank you for replying.

At the end if figured that ex_aws when running in a ECS task.
It had to get the key and secret id from the instance and assume a role.

I had to modify ex_aws_sts a bit. See this draft PR for details.
And the with that modficiation a was able to make it work with the config below:

    config :ex_aws,
      access_key_id: [{:awscli, :system, 30}],
      secret_access_key: [{:awscli, :system, 30}],
      awscli_auth_adapter: ExAws.STS.AuthCache.AssumeRoleCredentialsAdapter
      awscli_credentials: %{
          system: %{
            role_arn: System.get_env("AWS_ROLE_ARN"),
            credential_source: "Ec2InstanceMetadata"
          }
        }

Raj Rajhans · Answer 3 · Mon Jan 16 2023 20:58:54 GMT+0800 (China Standard Time)

Faced a similar issue, was able to get it to work on the same version using the following config -

  config :ex_aws,
        secret_access_key: [{:awscli, "default", 30}],
        access_key_id: [{:awscli, "default", 30}],
        awscli_auth_adapter: ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter,
        awscli_credentials: %{
          "default" => %{
            role_arn: System.get_env("AWS_ROLE_ARN"),
            source_profile: "default"
          }
        }

Created a PR to update the Readme of Ex AWS STS repo - ex-aws/ex_aws_sts#33

Bernard Duggan · Answer 4 · Mon Feb 20 2023 07:44:41 GMT+0800 (China Standard Time)

Thanks both for the PRs..