aws-sdk-js-v3: type checking error with `fromEnv` in @aws-sdk/credential-providers

It is incorrect to say that fromEnv wouldn’t work in the browser environment, it is common for environment variables to be placed into process.env via build processes. The use case is for local development work flows - it is a huge burden to users of software to need to figure out how to set up something such as IAM to get a ‘hello world’ working.

Due to security concerns, it is highly recommended against guiding people towards hard coding strings directly into their code bases. Within Amazon, we are actually strictly forbidden from even suggesting this within our example repositories or code samples.

For this reason we need a good path forward on these local development use cases.

Additionally, for any credential-providers which are intentionally not supported in the browser, they should be:

• documented (of which these omissions are not)
• throw an error, with an intelligible message, rather than simply being omitted from the bundles which causes lots of confusion.

I have just encountered this same issue. I don’t really understand the logic of not including fromEnv / fromProcess / fromIni in the exports for the browser version.

How do frontend developers ensure that environment variables are removed when pushing to production?

Using AWS, we can inject secrets into the environment of containerized applications at runtime. This is even the recommended practice with ECS according to the documentation. We can also make the environmental variables accessible from containers by mapping the environmental variables of an EC2 from EB to the container using docker-compose according to the EB developer’s guide. It’s not a stretch to use an entrypoint script in a container to retrieve the secrets from the environment (as described in the documentation) and place them in a credentials file which the React application can access.

I would also like to emphasize @diehbria 's comment:

If the decision is made not to include these, I think it should be considered to have the credential providers throw errors at run time which point towards the documentation and explain these aren’t supported.

My question then becomes, what is the recommendation from AWS if we’re not able to import fromEnv / fromProcess / fromIni in a containerized React application?

The existing error clearly mentions fromEnv is not exported for browser environment. The users shouldn’t try to import credential provider not available in their environment.

Which is not documented, and clearly many people think this is an accidental bug, as evident by this ticket. This method of communicating the API is not a good design, because the library still exports them as typescript types.

Environment variables in the front end:

• https://create-react-app.dev/docs/adding-custom-environment-variables/
• https://www.npmjs.com/package/rollup-plugin-inject-process-env
• https://webpack.js.org/plugins/environment-plugin/ this is not a CRA specific thing, every modern front-end build system has ability to inject process.env. It’s used commonly for local development configurations.

We don’t export fromEnv in browser environments, as they don’t have an environment to read variables from. Similar use case for fromIni which reads from configuration files, which do not exist in browser environments.

For a browser application, you need to use one of the following credential providers: fromCognitoIdentity, fromCognitoIdentityPool, fromTemporaryCredentials, fromWebToken

@sudhirjena @justenau Can you explain you use case where you plan to read credentials from environment or configuration files in the browser? If you’re using server side rendering in your React application, does any configuration need to be set to use Node.js code from dependencies?

Receiving the same error but for fromIni as well