Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credential Chain documentation is not accurate #4076

Open
hsiam261 opened this issue Apr 6, 2024 · 0 comments
Open

Credential Chain documentation is not accurate #4076

hsiam261 opened this issue Apr 6, 2024 · 0 comments
Assignees
@RyanFitzSimmonsAK
Labels
bug This issue is a confirmed bug. credentials documentation This is a problem with documentation. investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 This is a standard priority issue

Comments

@hsiam261
Copy link

hsiam261 commented Apr 6, 2024
edited

Description

This is what is written in the documentation:
"4. Shared credential file (~/.aws/credentials)
5. AWS config file (~/.aws/config)"

They should be swapped. I tested it out. Also that's the order in which they read the credentials in botocore. (https://github.com/boto/botocore/blob/1be45c52cf3b743186f9191e7f53d66eefae23cd/botocore/session.py#L427)

Also in definition of Assume role provider, they say that it reads from ~/.aws/config or ~/.aws/credentials file which is accurate. Then why is it mentioned again in the provider chain?

My understanding is that this should be the provider chain:

  • parameters in the boto.client()
  • parameters when creating a Session​
  • Environment variables​
    • AWS_ACCESS_KEY_ID​
    • AWS_SECRET_ACCESS_KEY
    • AWS_SECURITY_TOKEN or AWS_SESSION_TOKEN​
  • $AWS_CONFIG_FILE or ~/.aws/config​
  • $AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials
  • Web Identity Provider
    • AWS_WEB_IDENTITY_TOKEN_FILE
    • AWS_ROLE_ARN​
    • AWS_ROLE_SESSION_NAME
  • /etc/boto.cfg and ~/.boto
  • Container Provider​
    • AWS_CONTAINER_CREDENTIALS_FULL_URI
    • AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
  • IMDS​

My proposed credential chain is based on my reading of botocore.credentials.create_credential_resolver function (https://github.com/boto/botocore/blob/1be45c52cf3b743186f9191e7f53d66eefae23cd/botocore/credentials.py#L65)

Links

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html
@hsiam261 hsiam261 added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Apr 6, 2024
@hsiam261 hsiam261 changed the title (short issue description) Credential Chain documentation is not accurate Credential Chain documentation is not accurate Apr 6, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this Apr 9, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK added bug This issue is a confirmed bug. investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 This is a standard priority issue credentials and removed needs-triage This issue or PR still needs to be triaged. labels Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanFitzSimmonsAK RyanFitzSimmonsAK

Labels
bug This issue is a confirmed bug. credentials documentation This is a problem with documentation. investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hsiam261 @RyanFitzSimmonsAK