secret_access_key must be a string, but instead is [{:awscli, :system, 30}]

Question

secret_access_key must be a string, but instead is [{:awscli, :system, 30}]

andrejj opened this issue 2 years ago · 4 comments

Environment

Elixir & Erlang versions (elixir --version): Elixir 1.14.2 (compiled with Erlang/OTP 24)
ExAws version mix deps | grep ex_aws

* ex_aws 2.4.1 (Hex package) (mix)
  locked at 2.4.1 (ex_aws) 803387db
* ex_aws_s3 2.3.3 (Hex package) (mix)
  locked at 2.3.3 (ex_aws_s3) 0044f0b6
* ex_aws_ssm 2.1.0 (Hex package) (mix)
  locked at 2.1.0 (ex_aws_ssm) a91a183d
* ex_aws_sts 2.3.0 (Hex package) (mix)
  locked at 2.3.0 (ex_aws_sts) f14e4c7d

HTTP client version. IE for hackney do mix deps | grep hackney

* hackney 1.18.1 (Hex package) (rebar3)
  locked at 1.18.1 (hackney) a4ecdaff

Current behavior

I'm trying to initialize the app by puling config parameters from SSM.
locally it works.
The problem is it doesn't work when I push the docker image to ECS.
When fetching data from SSM I get: "Required key: :secret_access_key must be a string, but instead is [{:awscli, :system, 30}]"

Config

config :ex_aws,
  secret_access_key: [{:awscli, :system, 30}],
  access_key_id: [{:awscli, :system, 30}],
  awscli_auth_adapter: ExAws.STS.AuthCache.AssumeRoleCredentialsAdapter

The docker_entrypoint script creates ~/.aws/config, before starting the application.

export AWS_PROFILE=role_spec
[profile role_spec]
  credential_source = Ec2InstanceMetadata
  role_arn = $AWS_ROLE_ARN

Expected behavior

I would expect the above file to initialize ex_aws correctly. I've seen it work with node's sdk.

Answer 1 · 2023-01-10T05:16:08.000Z

secret_access_key: [{:awscli, :system, 30}],

I'm not sure what that :system is doing in there, but it should contain a profile name. In you case, it looks like it should be "role_spec".

Answer 2 · 2023-01-11T10:22:47.000Z

@bernardd thank you for replying.

At the end if figured that ex_aws when running in a ECS task.
It had to get the key and secret id from the instance and assume a role.

I had to modify ex_aws_sts a bit. See this draft PR for details.
And the with that modficiation a was able to make it work with the config below:

    config :ex_aws,
      access_key_id: [{:awscli, :system, 30}],
      secret_access_key: [{:awscli, :system, 30}],
      awscli_auth_adapter: ExAws.STS.AuthCache.AssumeRoleCredentialsAdapter
      awscli_credentials: %{
          system: %{
            role_arn: System.get_env("AWS_ROLE_ARN"),
            credential_source: "Ec2InstanceMetadata"
          }
        }

Answer 3 · 2023-01-16T12:58:54.000Z

Faced a similar issue, was able to get it to work on the same version using the following config -

  config :ex_aws,
        secret_access_key: [{:awscli, "default", 30}],
        access_key_id: [{:awscli, "default", 30}],
        awscli_auth_adapter: ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter,
        awscli_credentials: %{
          "default" => %{
            role_arn: System.get_env("AWS_ROLE_ARN"),
            source_profile: "default"
          }
        }

Created a PR to update the Readme of Ex AWS STS repo - ex-aws/ex_aws_sts#33

Answer 4 · 2023-02-19T23:44:41.000Z

Thanks both for the PRs..