Issues with profile-based credentials

[BVMiko]

Describe the bug

AWS CLI as well as boto3 implementation handle config & credentials files by reading the contents of both and consolidating them into a single associative array, prior to doing any processing. aws-sdk-php, on the other hand, only reads in one file when processing. This causes an issue when using assumed roles while organizing credentials the way recommended in the AWS CLI docs (the "IAM Role" tab here).

Specifically, when using a specific profile (configured the AWS_PROFILE environment variable) and using role_arn for the provided profile, the CredentialProvider doesn't search the ~/.aws/credentials file for the source_profile's credentials. This is different from how it works for other AWS config parsers (both AWS CLI and Python's boto3).

Expected Behavior

I expect that using the AWS_PROFILE=foobar environment variable will properly use STS by pulling the source credentials from ~/.aws/credentials.

Current Behavior

When processing the role_arn, it only searches for the credentials in the ~/.aws/config file, instead of the more appropriate ~/.aws/credentials file.

Reproduction Steps

With the ~/.aws/config:

[default]
region = us-east-1

[profile foobar]
source_profile = default
role_arn = arn:aws:iam::123:role/OrganizationAccessRole
region = us-east-1

And the ~/.aws/credentials file:

[default]
aws_access_key_id = ASIA...
aws_secret_access_key = ...
aws_session_token = ...

Use the AWS_PROFILE=foobar environment variable.

Possible Solution

The code here should first check the ~/.aws/credentials file with:

CredentialProvider::ini($sourceProfileName, null, $config)

and on rejection it should try the ~/.aws/config file as it is doing currently:

CredentialProvider::ini($sourceProfileName, $filename, $config)

Additional Information/Context

No response

SDK version used

3.283.2

Environment details (Version of PHP (php -v)? OS name and version, etc.)

PHP 8.2.11; Ubuntu Linux 22.04

[yenfryherrerafeliz]

Hi @BVMiko, sorry to hear about your issues. I can confirm the reported behavior so that I will add a needs-review label to it so we can address this further.

Test code:

<?php
require '../vendor/autoload.php';

use Aws\S3\S3Client;
use Aws\Credentials\CredentialProvider;

$client = new S3Client([
    'credentials' => CredentialProvider::ini('profile issue-2794', '/PATH/config'),
    'region' => 'us-east-2'
]);
$response = $client->listBuckets();

print_r($response);

/PATH/config

[profile issue-2794]
source_profile=default
role_arn=arn:aws:iam::account:role/Admin
region=us-east-2 

/PATH/credentials

[default]
aws_access_key_id=redacted
aws_secret_access_key=redacted
aws_session_token=redacted

Thanks!

[BVMiko]

Hi @yenfryherrerafeliz, I'm just checking to see if there's any chance of this being considered in the near future. I had to set up a pretty messy workaround with my development environment last year, but I'm going through to optimize things recently and was hoping to clean it up.

If there is any chance of it picking up some traction, let me know and I will rebase against the current master branch.

[BVMiko]

Hi @yenfryherrerafeliz, I'm working on a different project and it will be another good chance to use this if it had been merged in. Is there any chance of this being reviewed in the near future? It's been a very long time now, and I'm hoping to help fix up this bug if your team is willing.

Should I be pinging someone else, perhaps?

[BVMiko]

@stobrien89, I suspect that @yenfryherrerafeliz might not have been receiving my messages on this thread and it has been forgotten from over a year ago; I was wondering if you might be able to take a look and consider it? This is quite an annoyance for anyone using AWS Organizations and I'd like to see about getting it fixed.

[BVMiko]

@stobrien89 @yenfryherrerafeliz It's been a few more weeks; any chance you can read over this and see if it's something you guys are willing to accept a PR for in the first place?

All of the other AWS SDK systems that I've used behave consistently, it's only AWS-SDK-PHP that doesn't properly combine ~/.aws/config with ~/.aws/credentials.

It sees that you are responding to new issues promptly, perhaps comments to this issue are just not visible to you guys via a mail filter or something?

[yenfryherrerafeliz]

Hi @BVMiko, I apologize for not responding sooner. After doing some investigation I found that we actually parse profiles from both sources, ~/.aws/config and ~/.aws/credentials but we require setting an environment variable so this can actually work. The environment variable is AWS_SDK_LOAD_NONDEFAULT_CONFIG. In my testing scenarios I set it to true and it worked fine for me. I know that having to set a variable to make this to work does not look as the better customer experience, however, I will bring into discussion whether this behavior can be changed, or if, but from what I can tell, doing so looks a breaking change, because, other customers may be relaying on it to control this behavior. Either way I will answer you soon.

Thank you!