Should AWS CPI respect AWS_* env vars
Closed this issue · 7 comments
I configured my bosh-init manifest for an AWS deployment with cloud_provider.properties.aws.credentials_source set to env_or_profile with the expectation that my shell's AWS_* environment variables would be inherited by the cpi (using osx and bash). However, they didn't seem to make it that far, giving the following error...
$ bosh-init -v
version 0.0.80-a62aad7-2015-10-28T01:52:29Z
$ env | grep AWS_
AWS_SECRET_ACCESS_KEY=...snip...
AWS_ACCESS_KEY_ID=...snip...
$ bosh-init deploy bosh-init.yml
...snip...
Command 'deploy' failed:
Deploying:
Deleting existing instance 'unknown/0':
Checking existance of vm for instance 'unknown/0':
Checking existance of VM 'i-a1b2c3d4':
CPI 'has_vm' method responded with error: CmdError{"type":"Unknown","message":"\nMissing Credentials.\n\nUnable to find AWS credentials. You can configure your AWS credentials\na few different ways:\n\n* Call AWS.config with :access_key_id and :secret_access_key\n\n* Export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to ENV\n\n* On EC2 you can run instances with an IAM instance profile and credentials\n will be auto loaded from the instance metadata service on those\n instances.\n\n* Call AWS.config with :credential_provider. A credential provider should\n either include AWS::Core::CredentialProviders::Provider or respond to\n the same public methods.\n\n= Ruby on Rails\n\nIn a Ruby on Rails application you may also specify your credentials in\nthe following ways:\n\n* Via a config initializer script using any of the methods mentioned above\n (e.g. RAILS_ROOT/config/initializers/aws-sdk.rb).\n\n* Via a yaml configuration file located at RAILS_ROOT/config/aws.yml.\n This file should be formated like the default RAILS_ROOT/config/database.yml\n file.\n\n","ok_to_retry":false}
Works fine when hard-coded the traditional way of course, but now that IAM roles are working wonderfully for the director (thank you!), I'd love to be able to drop these keys from my manifest at some point, too.
Not sure if this is a feature request or a bug.
Hi, @dpb587! Could you tell why do you consider AWS_* variables should work?
As far as I can see, AWS CPI doesn't pay attention to environment variables at all. All properties to run CPI are taken from manifest (you can see it here). After that AWS CPI doesn't use any data from system to create instances from aws-sdk (link).
Ok, I see. aws-sdk has such ability. This means that the reason is that bosh-init cleans an environment.
Here is how it works now:
- environment for system command is cleaned if
UseIsolatedEnvvariable is set totrue(link); UseIsolatedEnvis set strictly totrue, when CPI binary is executed (link).
A possible solution here is to have some env variable like BOSH_INIT_ISOLATE_ENV default to true to pass it as UseIsolatedEnv parameter. As for me, I've never needed such feature, but it could be requested by community. What do you think @voelzmo @cppforlife ?
As far as I can see, env_or_profile will not work now with bosh-init, because bosh-init cleans environment before calling CPI binary.
@allomov correct. that's intended behavior to keep it consistent for now since there is no way to make this work when CPI is deployed on the remote machine.
Thanks for clarifying. Since it's intentional, I guess I'll try to figure out some other way to avoid versioning and committing my credentials in the manifest.