s3auth file doesn't work for provided credentials.

[stephen-m-shubin]

When setting: AccessKeyId and SecretAccessKey in /etc/apt/s3auth.conf we are greeted with the following error:

root/# apt-get update
Region: us-west-2
Using config file for credentials
Traceback (most recent call last):
  File "/usr/lib/apt/methods/s3", line 551, in <module>
    method = S3_method(config)
  File "/usr/lib/apt/methods/s3", line 364, in __init__
    self.iam.get_credentials()
  File "/usr/lib/apt/methods/s3", line 171, in get_credentials
    self.token = data['Token']
  File "/usr/lib/python2.7/dist-packages/configobj.py", line 554, in __getitem__
    val = dict.__getitem__(self, key)
KeyError: 'Token'

I have validated the key(s) are valid and have access.

Now I've tried this with IAM permissions assigned to an EC2 instance and that works as expected, only when I set the keys in the config do things not work as expected.

Glancing through the code it doesn't appear as though the token never gets called/created in that particular scenario. In fact the only two ways I ever see the session token being assigned is when it's read from the ENV Var:

        if data.get("AccessKeyId") is None:
            data['AccessKeyId'] = os.environ.get("AWS_ACCESS_KEY_ID", None)
            data['SecretAccessKey'] = os.environ.get(
                "AWS_SECRET_ACCESS_KEY", None)
            data['Token'] = os.environ.get("AWS_SESSION_TOKEN", None)

OR it's attempted to connect locally (when in AWS and IAM is assigned to the instance):

        if data.get("AccessKeyId") is None:
            self.__get_role()
            data = self.__request_json(urllib.parse.urljoin(self.credentials_metadata,
                                                            self.iamrole))

keep in mind my Python knowledge is minimal and this is from the best I can figure out, unless there is something I messed up on my end (possibly) however I'm just not finding out where exactly it's hung up.

Thanks,
Stephen

[greg-plume]

This is my working /etc/apt/s3.auth.conf file, note where values are quoted and where they are not quoted:

AccessKeyId = AKIAEXAMPLEEXAMPLE
SecretAccessKey = EXAMpleEXAMpleEXAMPLEexample
Region = 'us-west-2'
Token = ''

Yes, the "Token" parameter seems to be necessary, even if it's not being used. This is consistent with the "Region" parameter and not consistent with the "AccessKeyId" and "SecretAccessKey" parameters.

[jikawa-az]

Hello, I see that the next release addressing this issue has been tagged 7 days ago:
https://github.com/MayaraCloud/apt-transport-s3/releases/tag/v2.1.0

However it doesn't appear to have been released since apt-get is still vending 2.0.0.
Can we please have this version released as soon as possible? Thank you!!
@vorlock

[vorlock]

It can be release in the next couple of days in here after a bit more testing by people, but it won't find it's way to Debian anytime soon as Debian is in deep freeze we're probably around a month from the release, so it will have to wait a bit before I'm going to upload it to Debian archive.

[jikawa-az]

Understood, thanks for the update!

[jikawa-az]

Hello, any updates on this release?

[jikawa-az]

@vorlock Bump