The simplest AWS_PROFILE doesn't even work about serverless-better-credentials HOT 7 CLOSED

Just FYI, the following patch to serverless solved all my problems

diff --git a/node_modules/serverless/bin/serverless.js b/node_modules/serverless/bin/serverless.js
index b3f91c3..4a4b6fb 100755
--- a/node_modules/serverless/bin/serverless.js
+++ b/node_modules/serverless/bin/serverless.js
@@ -16,6 +16,12 @@ const nodeVersionMinor = Number(process.version.split('.')[1]);
 const minimumSupportedVersionMajor = 12;
 const minimumSupportedVersionMinor = 13;

+if (process.env.AWS_SDK_LOAD_CONFIG != '1') {
+  const { spawn } = require('child_process');
+  const args = [];
+  args.push(...process.execArgv, ...process.argv.slice(1));
+  spawn(process.argv[0], args, { stdio: 'inherit', env: { ...process.env, AWS_SDK_LOAD_CONFIG: '1' } });
+} else {
 if (
   nodeVersionMajor < minimumSupportedVersionMajor ||
   (nodeVersionMajor === minimumSupportedVersionMajor &&
@@ -124,3 +130,4 @@ require('../lib/cli/triage')().then((cliName) => {
       throw new Error(`Unrecognized CLI name "${cliName}"`);
   }
 });
+}

from serverless-better-credentials.

FWIW I have it set in my ~/.zshrc, as it only comes back to bite you when you run javascript scripts using the aws-sdk locally.

I get why they do it that way, although I appreciate it's confusing. There's a whole variety of fun flags &c. that exist surrounding credentials in AWS; scars from multiple design choices and workarounds and extensions throughout the ages.

For example - you can have named profiles in ~/.aws/credentials (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html); although most keys are technically only valid in the config file - but the javascript aws-sdk just treats them interchangeably. You can also specify where these files are using AWS_SHARED_CREDENTIALS_FILE; and they all have random (/badly documentet) precedents.

Even worse - you shouldn't prefix the name of a profile with profile if you want it to be read by the java aws-sdk, but if you don't you run in to problems other languages.

Like all good, old, evolving systems, it's a mess 😄 . My main aim with this plugin was just to make that mess consistent across the aws-sdk and serverless so people don't have to work around things twice.

from serverless-better-credentials.

Hmm - that is interesting because it is working for me.

➜ DP_STAGE=development AWS_PROFILE=iamadmin-general  ../../node_modules/.bin/serverless info --verbose
✔ serverless-better-credentials: credentials resolved from config ini profile: AWS_PROFILE (iamadmin-general)

Something which I'm suspicious of - do you have AWS_SDK_LOAD_CONFIG set in your enviornment?

Perhaps you could share the output of:

AWS_SDK_LOAD_CONFIG=1 AWS_PROFILE=profile1 sls info --verbose

from serverless-better-credentials.

Nope:

$ echo $AWS_SDK_LOAD_CONFIG

from serverless-better-credentials.

AWS_SDK_LOAD_CONFIG=1 AWS_PROFILE=profile1 sls info --verbose correctly loads credentials.

from serverless-better-credentials.

Cool - then that explains it then.

AWS_SDK_LOAD_CONFIG must be truthy if you're using a ~/.aws/config file instead of the credentials file with any javascript tooling. (docs)

It is actually mentioned on the project readme:

Take note that if you are using SSO with the approach AWS document (a shared .aws/config file) you'll also need to set the AWS_SDK_LOAD_CONFIG enviornment value to something truthy (e.g. AWS_SDK_LOAD_CONFIG=1), as described in the AWS SDK documentation.

So I'm going to close this on a 'the simplest of documentation doesn't even get read' 😉 technicality.

Jokes aside - though - happy to take a PR if you have a better way of formatting the readme to make it more obvious to people who haven't encountered that quirk of the AWS + javascript toolkits before; StackOverflow attests to you not being the only one.

from serverless-better-credentials.

Ooof, it was probably created just to prevent nodejs servers from reading stuff in the filesystem.
We are talking about a cli tool, I cannot see how it shouldn't be always set to 1.
But ok. Thanks.

P.S. profiles always exist in ~/.aws/config only.

from serverless-better-credentials.