ProfileConfigFileAWSCredentialsProvider used in DefaultAWSCredentialsProviderChain simply ignores roles in ~/.aws/config and ~/.aws/credentials. STSProfileCredentialsProvider appears as though it is meant to be used for this, but 1) it's not used in DefaultAWSCredentialsProviderChain so you have to explicitly use it, and 2) it only reads config. #2 means that if, for example, your role based profile specifies a source profile, and the source profile's credentials are in credentials then STSProfileCredentialsProvider will fail to find the source profile's credentials and then won't be able to get the role's temporary credentials.
Asked
Active
Viewed 621 times
2
jk2607674
- 101
- 1
- 3
1 Answers
3
This is actually caused by an issue in the AWS C++ SDK where configurations with assumed roles are ignored by the DefaultCredentialsProviderChain: https://github.com/aws/aws-sdk-cpp/issues/150 However, we need to find a workaround as this was promised to be fixed "incredibly soon" back in 2016 and still isn't fixed, in fact the issue is now closed.
EDIT: There is another issue here https://github.com/aws/aws-sdk-cpp/issues/1330
It appears your only option is to find the active profile yourself using something like Aws::Config::GetCachedConfigProfile(Aws::Auth::GetConfigProfileName()) and then use GetRoleArn()/GetSourceProfile() and call the STS service yourself with the credentials from the source profile.
Please let me know if you find a better solution!
Morten Ofstad
- 41
- 4