Why do AWS credentials have to be hard coded into config files?

[rabernat]

Thanks for your work on this great library! For context, I collaborate with @tomwhite on cubed which targets Lithops as an execution engine.

I am trying to get Lithops running on AWS lambda, and I'm puzzled by the requirement that AWS access key and secret have to be hard coded into a config file. This feels counter to best practices for AWS authentication. In general, it would be nice to have the same authentication precedence options as in the AWS CLI.

In particular, I would like to

• Be able to assume a role attached to an EC2 instance without providing any credentials at all
• Use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables

Is something like this on the roadmap?

[rabernat]

Following up on this a bit...

It looks like it would be sufficient to just leave our / set to None aws_access_key_id and aws_secret_access_key in these lines. boto3 will automatically detect credentials in the correct way.

lithops/lithops/serverless/backends/aws_lambda/aws_lambda.py

Lines 66 to 70 in b199505

	self.aws_session = boto3.Session(
	aws_access_key_id=lambda_config['access_key_id'],
	aws_secret_access_key=lambda_config['secret_access_key'],
	aws_session_token=lambda_config.get('session_token'),
	region_name=self.region_name

So simply removing this check should fix my issue:

lithops/lithops/serverless/backends/aws_lambda/config.py

Lines 73 to 74 in b199505

	if not {'access_key_id', 'secret_access_key'}.issubset(set(config_data['aws'])):
	raise Exception("'access_key_id' and 'secret_access_key' are mandatory under the 'aws' section of the configuration")

[JosepSampe]

Make sense, there was a WIP in #1114 but it wasn't finished. I will check it

[JosepSampe]

@rabernat I add this patch that includes the required changes for this, and a necessary step to allow this. Feel free to try it out and provide feedback

[rabernat]

It works!