Unable to set aws credentials in v3.2.0
Closed this issue ยท 14 comments
const logger = winston.createLogger({
transports: [
new WinstonCloudWatch({
name: `/my-log/${stage}`,
logGroupName: `/aws/s3/${repoName}`,
logStreamName: 'log-stream',
awsRegion: 'ap-northeast-2',
awsAccessKeyId: stage === 'prod' ? process.env.PROD_ACCESS_KEY_ID : process.env.DEV_ACCESS_KEY_ID,
awsSecretKey: stage === 'prod' ? process.env.PROD_SECRET_ACCESS_KEY : process.env.DEV_SECRET_ACCESS_KEY
})
]
})In winston-cloudwatch v3.1.1 with aws-sdk v2 you could set the awsAccessKeyId, awsSecretKey options.
However, in winston-cloudwatch v3.2.0 using aws-sdk v3, even setting the awsAccessKeyId and awsSecretKey options causes the credentials error as shown below.
You're probably looking at the credentials set in your .aws/credentials file.
I want to be able to set the awsAccessKeyId and awsSecretKey in the winston-cloudwatch option, without the .aws/credentials file.
Just to add additional context here, this is also an issue 4.0.1 - and last worked in 3.1.1 for me. As a workaround, if using Elastic Beanstalk, attaching the Cloudwatch Full policy to the account running Beanstalk got things working again for me.
What is the correct way to set the AWS credentials now?
I've tried to create a credentials file in a .aws directory in the root of the project, with the content
[default]
aws_access_key_id=...
aws_secret_access_key=...
As per the AWS documentation, but I still receive the same error (CredentialsProviderError: Could not load credentials from any providers).
And when I tried to go back to 3.1.1, I now receive a The security token included in the request is invalid. error.
Ok, digging more into it, the .aws/credentials file needs to be in the user directory (see this page).
However digging even further, I seem to have found an override for the file path location (found in @aws-sdk/shared-ini-file-loader/dist-es/getCredentialsFilepath.js).
You can provide an environment variable called AWS_SHARED_CREDENTIALS_FILE which points to that credentials file. And only if this variable is not set it will default to the user directory and to .aws/credentials.
So setting e.g. AWS_SHARED_CREDENTIALS_FILE=./config/.aws seems to work for providing the AWS info within your node project folder.
I've also found that you could set the credentials directly in your environment variable, with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, however in this case it also expects an AWS_SESSION_TOKEN (and possibly an AWS_CREDENTIAL_EXPIRATION as well), which you don't seem to be be able to retrieve without somehow authenticating first.
So directly setting the AWS credentials in your environment variables (or .env file) is not possible, at least not without further work and/or investigation.
In our case, we are already using the AWS SDK and AWS_* env vars. We need to specifically pass in values pulled from alternately-named env vars. 3.1.1 works for our needs.
this still seems to be an issue in 6.x -- has anyone looked into why to open a pull request?
Sorry for being so late, I managed to get some time to work on this given the time you've been waiting.
I followed this guide but unfortunately I am not able to replicate, so my suspect is that I did not correctly understand the issue here; this is what I am doing:
$ AWS_ACCESS_KEY_ID=? AWS_SECRET_ACCESS_KEY=? node credentials-test.js
const WinstonCloudWatch = require('../index')
const logger = winston.createLogger({
transports: [
new WinstonCloudWatch({
name: `log`,
logGroupName: `group-name`,
logStreamName: 'stream-name',
awsRegion: 'eu-west-2'
})
]
})
logger.error('2');I got 2 logged in AWS.
the issue is that defining the API credentials in the initialization class is ignored
if you have them set within ~/.aws/credentials or the environment it uses them correctly
if that's the direction of then package that's fine, I built a work around that generates the credentials files in docker and I know that assigning roles to the running container is the appropriate runtime solution -- just juggling priority as you do in a startup
simple steps to reproduce:
- remove default profile from .awsconfig (or rename it)
- set credentials to CORRECT VALUES in
new WinstonCloudwatch({awsAccessKeyId: 'aaaa', awsSecretKey: 'bbbb'})
Attempt to write a log. Code will fail with error CredentialsProviderError: Could not load credentials from any providers at lib.ensureGroupPresent when it calls aws.describeLogStreams
somehow this is function call is using the default credentials, despite passing in (and tracing) the fact that it is using custom credentials)
I have been able to circumvent this by specifying the CloudWatchLogsClientConfig directly though awsOptions
new WinstonCloudWatch({
...,
awsOptions: {
credentials: {
accessKeyId,
secretAccessKey,
},
region,
}
})I have been able to circumvent this by specifying the
CloudWatchLogsClientConfigdirectly thoughawsOptionsnew WinstonCloudWatch({ ..., awsOptions: { credentials: { accessKeyId, secretAccessKey, }, region, } })
Thanks @nikhilrajaram, It worked for me too
I have been able to circumvent this by specifying the
CloudWatchLogsClientConfigdirectly thoughawsOptionsnew WinstonCloudWatch({ ..., awsOptions: { credentials: { accessKeyId, secretAccessKey, }, region, } })
Thanks @nikhilrajaram
In this way the issue was resolved.
@lazywithclass
I would appreciate it if you could edit the README.
Done https://github.com/lazywithclass/winston-cloudwatch/blob/master/README.md#credentials
Thanks for the help everyone, it's much appreciated!
I have been able to circumvent this by specifying the
CloudWatchLogsClientConfigdirectly thoughawsOptionsnew WinstonCloudWatch({ ..., awsOptions: { credentials: { accessKeyId, secretAccessKey, }, region, } })
this solution works fine. Thanks!