serverless: Assumed role not found when defined in ~/.aws/config

This is a Bug report

Description

When using assumed roles that are defined in ~/.aws/config, sls doesn’t find the role passed in via the --aws-profile argument.

For bug reports:

What went wrong? Running the command failed with error that the profile doesn’t exist.
What did you expect should have happened? Command should have executed.
What was the config you used? ~/.aws/config

[profile wf-web]
source_profile = cloud-admin
role_arn = arn:aws:iam::xxxxxxxxx:role/admin

What stacktrace or error message from your provider did you see?

~/.aws/credentials

[cloud-admin]
aws_access_key_id = xxxxxx
aws_secret_access_key =  xxxxxxxx
aws_session_token = xxxxxxxxx
aws_security_token = xxxxxxxxx

Similar or dependent issues: None found

Additional Data

Serverless Framework Version you’re using: 1.27.3
Operating System: Mac OSX 10.13.5
Stack Trace:

  Stack Trace --------------------------------------------
 
Error: Profile wf-web does not exist
    at Object.addProfileCredentials (/usr/local/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:86:15)
    at AwsProvider.getCredentials (/usr/local/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:312:12)
    at AwsProvider.request (/usr/local/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:199:30)
    at AwsDeploy.create (/usr/local/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/createStack.js:39:26)
From previous event:
    at AwsDeploy.BbPromise.bind.then.catch (/usr/local/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/createStack.js:87:14)
From previous event:
    at AwsDeploy.createStack (/usr/local/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/createStack.js:80:13)
From previous event:
    at Object.aws:deploy:deploy:createStack [as hook] (/usr/local/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:108:10)
    at BbPromise.reduce (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:372:55)
From previous event:
    at PluginManager.invoke (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:372:22)
    at PluginManager.spawn (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:390:17)
    at AwsDeploy.BbPromise.bind.then (/usr/local/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:101:48)
From previous event:
    at Object.deploy:deploy [as hook] (/usr/local/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:97:10)
    at BbPromise.reduce (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:372:55)
From previous event:
    at PluginManager.invoke (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:372:22)
    at PluginManager.run (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:403:17)
    at variables.populateService.then (/usr/local/lib/node_modules/serverless/lib/Serverless.js:102:33)
    at runCallback (timers.js:696:18)
    at tryOnImmediate (timers.js:667:5)
    at processImmediate (timers.js:649:5)
    at process.topLevelDomainCallback (domain.js:121:23)
From previous event:
    at Serverless.run (/usr/local/lib/node_modules/serverless/lib/Serverless.js:89:74)
    at serverless.init.then (/usr/local/lib/node_modules/serverless/bin/serverless:42:50)

Provider Error messages:

  Error --------------------------------------------------
 
  Profile wf-web does not exist

Workaround is to copy the config section for the profile into ~/.aws/credentials, removing the word “profile” from the section header as:

[wf-web]
source_profile = cloud-admin
role_arn = arn:aws:iam::xxxxxxxxx:role/admin

Note: we are using the gimme-aws-creds project at https://github.com/Nike-Inc/gimme-aws-creds

See forum thread https://forum.serverless.com/t/problem-with-using-assumed-roles-to-deploy/4729 for more info

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 23
Comments: 19 (1 by maintainers)

Most upvoted comments

Seems to work okay without adding those values to your credentials file if you add this to your local system level env variables.

AWS_SDK_LOAD_CONFIG=1

+31

JmeG on Aug 24, 2018

It appears that a patch was provided to solve this issue, but not documented in this thread if you set this env var for your serverless run, it should use the correct profile.

AWS_SDK_LOAD_CONFIG=true

+15

atheken on Feb 24, 2019

Still having problems in 1.36.3 with assume role

Using AWS_SDK_LOAD_CONFIG=1 does not work
Copy-pasting role_arn, source_profile to ~/.aws/credentials results in serverless binary crash (outputs nothing at all)

huksley on Jan 25, 2019

@hojatbay the aws cli is implemented in python and uses boto3/botocore. This feature (/i.e. ability to use credential_source) exists in botocore and thus it works for the aws cli.

bweigel on Jan 30, 2019

@hojatbay the problem is not a serverless one. It lies upstream, in the aws javascript sdk. Using credential_source is not implemented in the aws-js-sdk (only in boto3) at the moment. There is an open feature request however: https://github.com/aws/aws-sdk-js/issues/1916.

bweigel on Jan 27, 2019

still not working for me. Tried both config and credentials files and no lucks. ~/.aws/config file:

[profile production] role_arn = arn:aws:iam::50459568343:role/cross-account-role region = us-east-1 credential_source = EcsContainer

running aws s3 ls --profile production succeeds running serverless deploy --aws-profile production --stage prod fails: profile production does not exist!

hojatbay on Jan 27, 2019

Ok, found it: https://github.com/aws/aws-sdk-js/issues/1916 it’s currently not supported in the SDK. That’s a bummer, had the same with the Go SDK. They are adding features on the CLI, but hardly any SDK supports those new features 😦

QuingKhaos on Oct 18, 2018

Believe support for this was added in #5432

brianneisler on Jan 23, 2019