Doesn't appear to work with temporary SAML federation credentials

[zanzan42]

In our corporate environment, we gain access to AWS (cli tools and console) via SAML federation of our corporate identities, which are mapped to an IAM role with (in my case) administrator rights.

To use the awscli tool, we auth to an internal web page and choose to generate a temporary set of credentials, which returns export values that we paste into a terminal window before executing whatever cli commands we want to execute:

export AWS_ACCESS_KEY_ID=[redacted]
export AWS_SECRET_ACCESS_KEY=[redacted]
export AWS_SESSION_TOKEN=[redacted]

So the contents of the default profile in our local ~/.aws/config file is just region = us-west-2 (or whatever region we're usually working in). There is no explicit set of IAM credentials, because we don't use direct IAM users, but SAML federation instead.

It appears opzworks doesn't work with this methodology. When I run an opzworks berks command against a stack, it successfully finds the repo, generates a new cookbook tar, etc, but then errors on the "backup" section with a credential error and the cookbook never gets to S3.

Example end of a failed run:

Committing changes and pushing
On branch dev-us-east-1
Your branch is up-to-date with 'origin/dev-us-east-1'.

nothing to commit, working tree clean
Everything up-to-date

Backup
/Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/request_signer.rb:104:in require_credentials': unable to sign request without credentials set (Aws::Errors::MissingCredentialsError) from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_request_signer.rb:14:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/xml/error_handler.rb:8:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_request_signer.rb:65:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_redirects.rb:15:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/retry_errors.rb:88:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_dualstack.rb:32:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_accelerate.rb:49:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_md5s.rb:31:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_expect_100_continue.rb:21:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_bucket_name_restrictions.rb:12:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_bucket_dns.rb:31:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/rest/handler.rb:7:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/user_agent.rb:12:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/plugins/endpoint.rb:41:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/param_validator.rb:21:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/plugins/raise_response_errors.rb:14:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_sse_cpk.rb:19:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_dualstack.rb:24:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_accelerate.rb:34:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/idempotency_token.rb:18:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/param_converter.rb:20:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/plugins/response_target.rb:21:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/request.rb:70:in send_request' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/base.rb:207:in block (2 levels) in define_operation_methods'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/lib/opzworks/commands/berks.rb:121:in block in run' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/lib/opzworks/commands/berks.rb:48:in each'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/lib/opzworks/commands/berks.rb:48:in run' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/lib/opzworks/cli.rb:38:in start'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/bin/opzworks:10:in <top (required)>' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/bin/opzworks:22:in load'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/bin/opzworks:22:in `

'

Any ideas how we can get opzworks to work with temporary credentials set with export of the access key, secret key, and token environment variables?

[heffergm]

This would likely require new code to instantiate a new client object, as there's a separate library in the sdk to handle saml auth: http://docs.aws.amazon.com/sdkforruby/api/Aws/STS/Client.html

If you want to submit a pull request I'm happy to accept it.

[zanzan42]

Given that I'm not really a developer, I was mostly looking for confirmation that the product as it currently exists only works by reading static credentials for access key and secret key from the AWS config file, and doesn't support reading the access key, secret key, and token for temporary credentials from environment variables.