Boto3 cannot find credentials when using AWS_PROFILE env var

Question

Boto3 cannot find credentials when using AWS_PROFILE env var

bcorijn opened this issue 6 years ago · 1 comments

Hi all,

I wanted to use this project to mock IAM roles for local containers, similar to the setup I run in my Kubernetes cluster. Since roles cannot take a IAM group as principal in the trust policy and I don't want to specify users on single app-roles, I wanted to use a "transitive" role to assume my application roles (my cluster does a similar setup with kiam).
So in a very simple diagram:
Local developer credentials -> iamRole DevAssume -> iamRole Application
With this setup the application roles only need to trust the DevAssume role once and there's a central point to manage which principals can assume a larger collection of roles.

I checked if the metadataproxy had such an option but that doesn't seem to be the case. Luckily the AWS CLI/SDK can do natively, by declaring a role in your ~/.aws/config and then telling it to automatically assume that role with the AWS_PROFILE env var. (cfr https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html)

However, I could not get this to work on the current Docker image. I keep getting a NoCredentialsError error. A bit of debugging seems to point at the version of Boto3 installed. If I update it to latest, it does assume this role as one would expect and distribute tokens to other containers.

I made a local fork and upgraded all the pip requirements to their latest version, which still seems to work as expected. Would this be welcome as a PR? I can also include some documentation how I set up this local environment, which relies on docker-compose networking instead of IPTable rules.

Answer 1 · 2018-10-01T17:22:35.000Z

Yep. Happy to take this as a PR

…

On Mon, Oct 1, 2018 at 2:54 AM Bruno ***@***.***> wrote: Hi all, I wanted to use this project to mock IAM roles for local containers, similar to the setup I run in my Kubernetes cluster. Since roles cannot take a IAM group as principal in the trust policy and I don't want to specify users on single app-roles, I wanted to use a "transitive" role to assume my application roles (my cluster does a similar setup with kiam <https://github.com/uswitch/kiam>). So in a very simple diagram: Local developer credentials -> iamRole DevAssume -> iamRole Application With this setup the application roles only need to trust the DevAssume role once and there's a central point to manage which principals can assume a larger collection of roles. I checked if the metadataproxy had such an option but that doesn't seem to be the case. Luckily the AWS CLI/SDK can do natively, by declaring a role in your ~/.aws/config and then telling it to automatically assume that role with the AWS_PROFILE env var. (cfr https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html ) However, I could not get this to work on the current Docker image. I keep getting a NoCredentialsError error. A bit of debugging seems to point at the version of Boto3 installed. If I update it to latest, it does assume this role as one would expect and distribute tokens to other containers. I made a local fork and upgraded all the pip requirements to their latest version, which still seems to work as expected. Would this be welcome as a PR? I can also include some documentation how I set up this local environment, which relies on docker-compose networking instead of IPTable rules. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#75>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABd5MgcCiN_jo1SekvFWnE3Iryo981_cks5ugeZugaJpZM4XBu3o> .