serverless: serverlss AWS temporary credentials are not working

Are you certain it’s a bug?

Yes, it looks like a bug

Is the issue caused by a plugin?

It is not a plugin issue

Are you using the latest v3 release?

Yes, I’m using the latest v3 release

Is there an existing issue for this?

I have searched existing issues, it hasn’t been reported yet

Issue description

im trying to upload an image to S3 from my Laravel project using Bref and serverless, but imgetting an error message that says “The AWS Access Key Id you provided does not exist in our records.” This means that the credentials that im using to access S3 are not valid or recognized by AWS after few researches i found this on the serverless website: “How it works: Serverless Dashboard uses an AWS Access Role to access your AWS account. Then, it creates temporary AWS access keys to authenticate the serverless CLI on every command.”

ideally i dont need to include the credentialls in serverless.yml or even .env files (already tried) so how to get this temporary credentials (that starts with ASIA) to work or how to force it to use the long-term credentials (that starts with AKIA)

the serverless.yml file is

Service configuration (serverless.yml) content

service: test-Demo

provider:
  name: aws
  profile: default
  # The AWS region in which to deploy (us-east-1 is the default)
  region: us-east-1
  # The stage of the application, e.g. dev, production, staging… ('dev' is the default)
  stage: dev
  runtime: provided.al2
  apiGateway:
    binaryMediaTypes:
      - '*/*'
  environment:
    BREF_BINARY_RESPONSES: '1'
    # environment variable for Laravel
    FILESYSTEM_DISK: s3
    FILESYSTEM_DRIVER: s3
    AWS_BUCKET: !Ref Storage
    APP_ENV: 'dev'
    DB_HOST: 'xxxx'
    DB_HOST_2: 'xxxx'

  iam:
    role:
      statements:
        # Allow Lambda to read and write files in the S3 buckets
        - Effect: Allow
          Action: s3:*
          Resource:
            - !Sub '${Storage.Arn}' # the storage bucket
            - !Sub '${Storage.Arn}/*' # and everything inside

package:
  # Directories to exclude from deployment
  patterns:
    - '!node_modules/**'
    - '!public/storage'
    - '!resources/assets/**'
    - '!tests/**'

custom:
  lift:
    assets:
      path: public
      url: /

functions:
  # This function runs the Laravel website/API
  web:
    handler: public/index.php
    timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
    layers:
      - ${bref:layer.php-80-fpm}
      - ${bref-extra:gd-php-80} #add
    events:
      - httpApi: '*'
  # This function lets us run artisan commands in Lambda
  artisan:
    handler: artisan
    timeout: 120 # in seconds
    layers:
      - ${bref:layer.php-80} # PHP
      - ${bref:layer.console} # The "console" layer
    events:
      - schedule:
          description: Running the Laravel Scheduler (schedule:run) each minute
          rate: rate(1 minute)
          input:
            cli: schedule:run

plugins:
  # We need to include the Bref plugin
  - ./vendor/bref/bref
  - serverless-lift
  - ./vendor/bref/extra-php-extensions  #https://github.com/brefphp/extra-php-extensions

constructs:
  website:
    type: server-side-website
    assets:
      '/css/*': public/css
      '/js/*': public/js
      '/images/*': public/images
      '/audio/*': public/audio
      '/fonts/*': public/fonts
      '/import/*': public/import
      # add here any file or directory that needs to be served from S3

resources:
  Resources:
    # Create our S3 storage bucket using CloudFormation
    Storage:
      Type: AWS::S3::Bucket

    BucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref Storage
        PolicyDocument:
          Statement:
            - Sid: PublicReadGetObject
              Effect: Allow
              Principal: '*'
              Action: s3:GetObject
              Resource: !Join ['', [!GetAtt Storage.Arn, '/*']]

Command name and used flags

serverless deploy

Command output

Service deployed to stack test-Demo-dev

Environment information

Framework Core: 3.31.0
Plugin: 6.2.3
SDK: 4.3.2

About this issue

Original URL
State: closed
Created a year ago
Reactions: 1
Comments: 15 (2 by maintainers)

Most upvoted comments

@kareemashraf This one:

although another problem shows up `"Invalid configuration value provided for "token"

looks familiar too - I had exactly this error, part of my stack trace:

#0 /var/task/vendor/aws/aws-sdk-php/src/ClientResolver.php(375): Aws\\ClientResolver->invalidType()
#1 /var/task/vendor/aws/aws-sdk-php/src/AwsClient.php(222): Aws\\ClientResolver->resolve()

and I solved it by requiring a different version of aws/aws-sdk-php in my composer.json - what I currently have is this:

"bref/bref": "^1.7",
"bref/laravel-bridge": "^1.2",
"laravel/framework": "^8.75",
"league/flysystem-aws-s3-v3": "^1.0",
"aws/aws-sdk-php": "3.237.1",

NOTE - I think this is reported in another Github issue, see here:

https://github.com/aws/aws-sdk-php/issues/2567

Quote:

“Updated to 3.245.0 last night (he means aws/aws-sdk-php) and ever since I’m getting errors like these”

So you might get this depending on your version of aws/aws-sdk-php - 3.245 might have the issue, 3.237 not 😃

(that Github issue also talks about an apparently related issue in Laravel: https://github.com/laravel/framework/pull/44979 which has been fixed in Laravel 9 …)

leob on Sep 12, 2023

@leob Thanks a lot you are a life saver! 🥇 , i confirm that fixes it and the ugly hack is no longer needed!

kareemashraf on Sep 12, 2023

@kareemashraf

@medikoo the same creds work with AWS SDK CLI with no problems , the thing is the php code picks the temporary access_key provided by serverless which is not recognised and returns the error message The AWS Access Key Id you provided does not exist in our records.

Root cause found, and a fix, see above … can close this Github issue?

leob on Sep 12, 2023

@kareemashraf @WebScaffolder @medikoo I don’t know about Cloudinary - we prefer to stick with AWS as much as possible, instead of throwing in all kinds of third party services (which again cost extra $$$) … otherwise, what’s the point of using Bref and Serverless? At some point you’d be better off going with something like Supabase or Convex …

But, I found the root cause of this problem - and it’s even in the Bref docs if you read carefully - on this page:

https://bref.sh/docs/frameworks/laravel#file-storage-on-s3

What you see there is that the following should be in your config/filesystems.php file:

        's3' => [
            'driver' => 's3',
            'key' => env('AWS_ACCESS_KEY_ID'),
            'secret' => env('AWS_SECRET_ACCESS_KEY'),
            'token' => env('AWS_SESSION_TOKEN'),
            'region' => env('AWS_DEFAULT_REGION'),
            'bucket' => env('AWS_BUCKET'),
            'url' => env('AWS_URL'),
        ],

The important line here is this:

'token' => env('AWS_SESSION_TOKEN'),

That was missing in my config/filesystems.php file - because normally this isn’t there … but it’s needed to make the temp credentials work (and when running your Laravel app in a Lambda function using Bref, temp credentials are going to be used).

I think adding this line is what fixes it !

P.S. and YES - confirmed: this fixes the problem - the “ugly hack” is no longer needed !

So we could close this Github issue now 😃

leob on Sep 12, 2023

i fixed it by a very ugly solution which is adding the long term access keys in laravel in config/filesystems.php as 's3' => [ 'driver' => 's3', 'key' => long_term_access_key, 'secret' => long_term_secret_key, 'region' => env('AWS_DEFAULT_REGION'), 'bucket' => env('AWS_BUCKET'), 'url' => env('AWS_URL'), ],

kareemashraf on Jul 24, 2023

Hi, same happened with me and it gives ASIA* instead of AKIA. I was thinking it’s done by bref. how we can stop this and use long term access key?

WebScaffolder on Jul 24, 2023