By default the auth in `~/.aws` is loaded
balloob opened this issue · 4 comments
Warrant will use the default boto configuration which is to load credentials from ~/.aws. Not all requests to Cognito require requests to be signed in. Examples of these are register, authenticate, forgot password, confirm forgot password.
Botocore will blow up with a NoCredentialsError exception if ~/.aws doesn't exist:
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/warrant/__init__.py", line 289, in authenticate
tokens = aws.authenticate_user()
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/warrant/aws_srp.py", line 187, in authenticate_user
ClientId=self.client_id
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/client.py", line 251, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/client.py", line 526, in _make_api_call
operation_model, request_dict)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/endpoint.py", line 141, in make_request
return self._send_request(request_dict, operation_model)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/endpoint.py", line 166, in _send_request
request = self.create_request(request_dict, operation_model)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/endpoint.py", line 150, in create_request
operation_name=operation_model.name)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/hooks.py", line 227, in emit
return self._emit(event_name, kwargs)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/hooks.py", line 210, in _emit
response = handler(**kwargs)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/signers.py", line 90, in handler
return self.sign(operation_name, request)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/signers.py", line 147, in sign
auth.add_auth(request)
File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/auth.py", line 316, in add_auth
raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials
We can set the cognito client to use unsigned requests for the user facing APIs (make account, reset password). I tried adding this in #59 however ran into a problem where the admin tests actually rely on this.
I can't run the tests locally and the PR has since been reverted 😞
What is the solution for this?
Since the PR got reverted and I am unable to fix the code myself without being able to run the tests, I can't open a PR that would be ok to merge. You will have to patch the used client yourself. This is how Home Assistant does it
We experienced this issue with the authenticate call. For workaround,
(1) Put [default] in .aws/credentials with empty access key values to avoid the exception.
[default]
aws_access_key_id=
aws_secret_access_key=
(2) Or, passing dummy access_key and secret_key when calling Cognito()
user = Cognito(
userpool,
userpool_appclientid,
user_pool_region="xxx",
username="xxx",
access_key="dummy_not_used",
secret_key="dummy_not_used",
)
It would be great to have this fixed :)
Khau's post would be a really nice addition to the docs, under "authentication", I think.