Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When role-based authentication is used without sweet_xml installed, AuthCache crashes but error message is not helpful #37

Open
guisehn opened this issue Sep 12, 2023 · 0 comments · May be fixed by #36
Open

When role-based authentication is used without sweet_xml installed, AuthCache crashes but error message is not helpful #37

guisehn opened this issue Sep 12, 2023 · 0 comments · May be fixed by #36

Comments

@guisehn
Copy link

guisehn commented Sep 12, 2023
edited
Loading

Environment

  • Elixir & Erlang versions (elixir --version): Elixir 1.12.3 / OTP 23
  • ExAws version mix deps |grep ex_aws: 2.2.3
  • HTTP client version. IE for hackney do mix deps | grep hackney: 1.17.4

Current behavior

Having sweet_xml installed is required for role based authentication.

Right now, if the user doesn't have sweet_xml installed and they use role based authentication, the AuthCache process crashes because ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter.get_security_credentials/2 raises:

[error] GenServer ExAws.Config.AuthCache terminating
** (KeyError) key :access_key_id not found in: "<AssumeRoleWithWebIdentityResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">
  <AssumeRoleWithWebIdentityResult>
    <Audience>sts.amazonaws.com</Audience>
    <AssumedRoleUser>
      <AssumedRoleId>[redacted]</AssumedRoleId>
      <Arn>[redacted]</Arn>
    </AssumedRoleUser>
    <Provider>[redacted]</Provider>
    <Credentials>
      <AccessKeyId>[redacted]</AccessKeyId>
      <SecretAccessKey>[redacted]</SecretAccessKey>
      <SessionToken>[redacted]</SessionToken>
      <Expiration>[redacted]</Expiration>
    </Credentials>
    <SubjectFromWebIdentityToken>[redacted]</SubjectFromWebIdentityToken>
  </AssumeRoleWithWebIdentityResult>
  <ResponseMetadata>
    <RequestId>[redacted]</RequestId>
  </ResponseMetadata>
</AssumeRoleWithWebIdentityResponse>
". If you are using the dot syntax, such as map.field, make sure the left-hand side of the dot is a map
    (ex_aws_sts 2.3.0) lib/ex_aws/sts/auth_cache/assume_role_web_identity_adapter.ex:32: ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter.get_security_credentials/2
    (ex_aws 2.4.2) lib/ex_aws/config/auth_cache.ex:83: ExAws.Config.AuthCache.attempt_credentials_refresh/5
    (ex_aws 2.4.2) lib/ex_aws/config/auth_cache.ex:73: ExAws.Config.AuthCache.refresh_awscli_config/3
    (ex_aws 2.4.2) lib/ex_aws/config/auth_cache.ex:50: ExAws.Config.AuthCache.handle_call/3
    (stdlib 3.17.2) gen_server.erl:721: :gen_server.try_handle_call/4
    (stdlib 3.17.2) gen_server.erl:750: :gen_server.handle_msg/6
    (stdlib 3.17.2) proc_lib.erl:226: :proc_lib.init_p_do_apply/3
Last message (from #PID<0.2246.0>): {:refresh_awscli_config, "default", 30000}

This happens because when sweet_xml is not installed, ExAws.STS.Parsers silently becomes a no-op, returning its input as the output.

AssumeRoleWebIdentityAdapter expects that ExAws.STS.Parsers will transform the XML string to a map. When sweet_xml is not installed, it receives a string and fails with this error message, that is not very useful and is difficult to troubleshoot.

Expected behavior

When sweet_xml is not installed, we could improve the library to crash with a useful error message that helps troubleshooting. This will result in better developer experience.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Raise when sweet_xml dependency is missing while using role based authentication guisehn/ex_aws_sts
1 participant
@guisehn