Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default authentication flow should fail if invalid profile name is passed #2058

Closed
gdavison opened this issue Mar 20, 2023 · 3 comments · Fixed by #2309
Closed

Default authentication flow should fail if invalid profile name is passed #2058

gdavison opened this issue Mar 20, 2023 · 3 comments · Fixed by #2309
Assignees
@lucix-aws
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@gdavison
Copy link
Contributor

Describe the bug

When the default authentication flow is used with config.LoadDefaultConfig(), providing an invalid profile name, either with config.WithSharedConfigProfile() or by setting AWS_PROFILE, does not cause an error, but falls back to trying IMDS.

Previously reported as #1591, but the proposed fix did not resolve the issue

Expected Behavior

In the AWS CLI, I get

$ AWS_PROFILE=no-such-profile aws sts get-caller-identity

The config profile (no-such-profile) could not be found

The SDK should fail with a config.SharedConfigProfileNotExistError error, or at least have the option to do so.

Current Behavior

The AWS SDK falls back to calling IMDS

Reproduction Steps

cfg, err := config.LoadDefaultConfig(ctx)

and set AWS_PROFILE to an invalid profile name

or

cfg, err := config.LoadDefaultConfig(ctx, config.WithSharedConfigProfile("no-such-profile"))

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2 v1.13.0, github.com/aws/aws-sdk-go-v2/config v1.13.1

and

github.com/aws/aws-sdk-go-v2 v1.17.6, github.com/aws/aws-sdk-go-v2/config v1.18.18

Compiler and Version used

go version go1.20.2 darwin/arm64

Operating System and version

N/A
@gdavison gdavison added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 20, 2023
@RanVaknin
Copy link
Contributor

RanVaknin commented Mar 21, 2023
edited
Loading

Hi @gdavison ,

Thanks for opening the issue. I'm able to reproduce the error.

I believe this is happening because the ResolveCredentialsFromProfile function does not have a case handling loading of non-existent profiles, and falls back to resolveEC2RoleCredentials.
Then it would constructs an ec2RoleCredProvider with the user input as the role arn. When the client checks the cache for credentials, it treats it as an EC2provider and fails with an IMDS error:

failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, http response error StatusCode: 403, request to EC2 IMDS failed

I'll mark it needs-review and will discuss it with the team.
Thanks,
Ran~

@RanVaknin RanVaknin self-assigned this Mar 21, 2023
@RanVaknin RanVaknin added needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Mar 21, 2023
@isaiahvita isaiahvita mentioned this issue Mar 27, 2023
Closed
@RanVaknin RanVaknin added queued This issues is on the AWS team's backlog and removed needs-review This issue or pull request needs review from a core team member. labels May 4, 2023
@lucix-aws lucix-aws assigned lucix-aws and unassigned RanVaknin Oct 10, 2023
@lucix-aws lucix-aws removed the queued This issues is on the AWS team's backlog label Oct 10, 2023
@lucix-aws lucix-aws mentioned this issue Oct 10, 2023
Merged
@lucix-aws
Copy link
Contributor

FYI we've decided that this is safe to do by default since the caller is explicitly asking for something that isn't in their config. Additionally the only "success" scenario here with the current behavior would be if you happen to have IMDS available beyond the misconfiguration, which we think is both unlikely and also probably not desired.

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucix-aws lucix-aws

Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: fail to load config if configured profile doesn't exist aws/aws-sdk-go-v2
3 participants
@gdavison @RanVaknin @lucix-aws