Ask questionsRusoto automatic providers do not apply source_profile or role_arn
Other AWS CLI tools (including the official python
awscli) automatically switch to the role defined by the
role_arn in the
~/.aws/credentials file. Rusoto should automatically do this when using either
For example, my
~/.aws/credentials file contains:
[default] aws_access_key_id = AKIAEXAMPLEACCESSKEY aws_secret_access_key = Secret/Access/Key [sandbox] role_arn = arn:aws:iam::123456789012:role/some-role source_profile = default
export AWS_PROFILE=sandbox, commands like
aws s3 ls and all the rest work as expected, showing me the contents from the sandbox role's view of things.
This does not work with any Rusoto providers. I had to copy the
aws_secret_access_key definitions into the
sandbox profile definition for anything to work, and even then, the
role_arn wasn't applied so I had to figure out how to use an
It would be really nice if the default ChainProvider sorted this out for me, or even the ProfileProvider because what's the point of loading the profile if we don't load it correctly?
Answer questions zeapo
This is more difficult than it would seem at first because the STS API calls necessary are in rusoto_sts, which ultimately depend on rusoto_credential, and we can't have a circular dependency. This is why there are some credential providers in rusoto_sts, but none of them read from the profile (yet).
@iliana I started working on a solution where parsing the profile checks for all potential keys defined by the credentials' spec and exposes it into a hash. Then an
StsProfileCredentialsProvider would take a
ProfileProvider and does the job in assuming the profile requested in the latter.
User friendliness wise, we can't automatically guess if the
rusoto_sts crate was added (as far as my rust knowledge goes). Therefore we can't mimic other SDKs (such as Java that uses Sts if the jar is in the classpath). Therefore, the user will have to manually rely on the
StsProfileCredentialsProvider. Which ofc will default to
ProfileCredentialsProvider if the selected profile is indeed a simple credentials profile and does not need to assume a role.
I'll open a PR this weekend or next week when it's finished