4

I am trying to use aws encryption sdk in a NestJS application, the next code source shows the implementation.

import { Controller, Get } from '@nestjs/common';
import {KmsKeyringNode, encrypt} from '@aws-crypto/client-node'


@Controller('encryption')
export class EncryptionController {
  // constructor() {}
  @Get()
  async crypt() {
    const generatorKeyId = "generatior key";
    const masterKeyId = "master key id";
    const keyring = new KmsKeyringNode({keyIds:[masterKeyId], generatorKeyId: generatorKeyId});
    const plainText = "My passwords for senstive data";
    const context = {
      accountId: "100",
      purpose: "youtube demo",
      country: "Sri Lanka"
    };
    const { result } = await encrypt(keyring, plainText, { encryptionContext: context });
    console.log(result)


  }

}

but when I execute a request to see the result of my implementation I receive the next error

Error: connect EHOSTUNREACH 169.254.169.254:80
      at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1128:14) {
    message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
    errno: 'EHOSTUNREACH',
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2020-06-09T11:41:47.638Z,
    originalError: {
      message: 'Could not load credentials from any providers',
      errno: 'EHOSTUNREACH',
      code: 'CredentialsError',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2020-06-09T11:41:47.638Z,
      originalError: {
        message: 'EC2 Metadata roleName request returned error',
        errno: 'EHOSTUNREACH',
        code: 'EHOSTUNREACH',
        syscall: 'connect',
        address: '169.254.169.254',
        port: 80,
        time: 2020-06-09T11:41:47.637Z,
        originalError: [Object]
      }
    }
  }

However I copy a nodejs script from this tutorial to see if it works with my aws sdk set up and I did not receive any error, also if a execute aws kms encryption methods in the cli I hadn't any error.

I tried to export AWS_SDK_LOAD_CONFIG=1 variable how I saw in other similar errors.

Does anyone know what's going on?

Alfonso
  • 71
  • 1
  • 1
  • 6
  • The AWS Encryption SDK will create an AWS KMS SDK client for you. But this SDK client will need access to AWS credentials. In your case the issue is that you are not able to connect to the metadata service. The other examples may have access to credentials in some other way. https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html – ryan Jul 06 '20 at 16:57
  • I'm encountering the same issue! Where could I find my AWS_ACCESS_KEY_ID? – Carlos Ortiz Feb 24 '22 at 20:03

2 Answers2

4

I had the same problem. It cost me quite some head ache because I had this running in AWS Fargate and debugging is not that easy there.

The error means the Javascript SDK can not find the AWS credentials. Here you can see in what order the SDK tries to load the credentials from: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html

My error was quite embarrassing, I just had a typo in my environment variables. My variable was AWS_ACCESSS_KEY_ID instead of AWS_ACCESS_KEY_ID. (Quite hard to see the difference, right?)

So probably double check the names of your environment variables (or config files)

Anton
  • 936
  • 1
  • 8
  • 27
  • 1
    This has nothing to do with the original OP answer. OP clearly states that they are loading the `profile` from `~/.aws` configuration folder... `AWS_SDK_LOAD_CONFIG=1` – Lucaci Andrei Apr 29 '21 at 17:11
1

I resolved it with this answer

my code:

var credentials = new AWS.SharedIniFileCredentials({profile: 'work-account'});
AWS.config.credentials = credentials;

and the config file:

[work-account]
aws_access_key_id = <key with no quotes around it>
aws_secret_access_key = <key with no quotes around it>

I also ran this on the command line (Ubuntu)

export AWS_SDK_LOAD_CONFIG=1
Mark
  • 765
  • 8
  • 12