Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(credential-provider-node): emit warning when AWS_PROFILE is set alongside ENV credentials #6277

Merged
merged 1 commit into from
Jul 16, 2024

Conversation

kuhe
Copy link
Contributor

@kuhe kuhe commented Jul 15, 2024

Issue

#2549

Description

Emit a warning when the environment sets AWS_PROFILE in addition to the pair AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY.

We should be resolving the credential pair based on AWS SDK JSv2, AWS CLI, and documentation, but the current implementation prefers AWS_PROFILE.
Because this has been released for a very long time, we should set a warning instead of directly switching over to preferring the credential pair.

We could determine a specific date later on which to change the behavior over to preferring the credential pair.

Testing

manual, integ, unit

@kuhe kuhe requested a review from a team as a code owner July 15, 2024 17:21
if (!multipleCredentialSourceWarningEmitted) {
const warnFn =
init.logger?.warn && init.logger?.constructor?.name !== "NoOpLogger" ? init.logger.warn : console.warn;
warnFn(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This warning is emitted here in the default provider chain rather than in the fromEnv provider function.

The reason for this is because when using the fromEnv provider in isolation, it doesn't matter if the AWS_PROFILE is set or not.

@trivikr
Copy link
Member

trivikr commented Jul 15, 2024

Example warning

@aws-sdk/credential-provider-node - defaultProvider::fromEnv WARNING:
    Multiple credential sources detected: 
    Both AWS_PROFILE and the pair AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY static credentials are set.
    This SDK will proceed with the AWS_PROFILE value.
    
    However, a future version may change this behavior to prefer the ENV static credentials.
    Please ensure that your environment only sets either the AWS_PROFILE or the
    AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY pair.

@kuhe kuhe merged commit d1105e3 into aws:main Jul 16, 2024
5 checks passed
@kuhe kuhe deleted the chore/fromEnv branch July 16, 2024 20:08
@P0rth0s
Copy link

P0rth0s commented Jul 24, 2024

@kuhe I believe this has introduced a regression.

TypeError: _d.debug is not a function at _a (/usr/src/app/node_modules/@aws-sdk/credential-provider-node/dist-cjs/index.js:96:48) at /usr/src/app/node_modules/@smithy/property-provider/dist-cjs/index.js:97:33 at coalesceProvider (/usr/src/app/node_modules/@smithy/property-provider/dist-cjs/index.js:121:17) at /usr/src/app/node_modules/@smithy/property-provider/dist-cjs/index.js:142:24 at /usr/src/app/node_modules/@smithy/core/dist-cjs/index.js:82:23 at processTicksAndRejections (node:internal/process/task_queues:95:5) at /usr/src/app/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22

I am currently working on a script to reproduce for you. This was observed on an ec2 instance after running npm update.

Copy link

github-actions bot commented Aug 8, 2024

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants