Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default credentials provider chain documentation doesn't look right #4347

Closed
liwadman opened this issue Nov 13, 2024 · 5 comments
Closed

Default credentials provider chain documentation doesn't look right #4347

liwadman opened this issue Nov 13, 2024 · 5 comments
Assignees
@RyanFitzSimmonsAK
Labels
bug This issue is a confirmed bug. credentials documentation This is a problem with documentation. p3 This is a minor priority issue

Comments

@liwadman
Copy link

Describe the issue

The default search list doesn't look right based on the botocore code I reviewed, and doesn't quite make sense. e.g. the sso provider would only be brought in if a profile in any location used an sso profile, and the sdk wouldn't do a specific search on existing config files for sso providers. As well the assume role provider is the implimentation of the config files e.g. the assume role provider is what's used with the relevant settings of a config file and the default profile within it.

Passing credentials as parameters in the boto3.client() method

Passing credentials as parameters when creating a Session object

Environment variables

Assume role provider

Assume role with web identity provider

AWS IAM Identity Center credential provider

Shared credential file (~/.aws/credentials)

AWS config file (~/.aws/config)

Boto2 config file (/etc/boto.cfg and ~/.boto)

Instance metadata service on an Amazon EC2 instance that has an IAM role configured.

Links

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html
@liwadman liwadman added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Nov 13, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this Nov 14, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK added investigating This issue is being investigated and/or work is in progress to resolve the issue. credentials p3 This is a minor priority issue bug This issue is a confirmed bug. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 14, 2024
@RyanFitzSimmonsAK
Copy link
Contributor

Hi @liwadman, thanks for reaching out. Could you clarify how you think the credentials precedence documentation should be changed? It sounds like you want the SSO provider and assume role provider removed because they are defined in the config file, is that correct?

@RyanFitzSimmonsAK RyanFitzSimmonsAK added response-requested Waiting on additional information or feedback. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Dec 3, 2024
@liwadman
Copy link
Author

There is no possible known location to search for credentials for providers like the AssumeRole and AWS IAM Identity Center credential provider. These can only be defined in profiles.

So the search order is really more like:

1)hard coded credentials
2)env vars
3)the default profile, or profile specified by environment variables
4)Web identity token file
5)container provider
6) IMDS

@RyanFitzSimmonsAK RyanFitzSimmonsAK removed the response-requested Waiting on additional information or feedback. label Jan 6, 2025
@RyanFitzSimmonsAK
Copy link
Contributor

After discussing with the SDK team, we've chosen not to change the documentation. The current precedence reflects the order that the SDK individually checks credential providers. Even if several credential providers are defined in a profile, it's worthwhile to give the additional detail of the search order. Thanks for opening this issue.

@RyanFitzSimmonsAK RyanFitzSimmonsAK closed this as not planned Won't fix, can't repro, duplicate, stale Feb 5, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 5, 2025

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

@liwadman
Copy link
Author

liwadman commented Feb 5, 2025

The SDK team is missig the point. Those other providers are NOT checked in a sequential order, they're only checked when explicitly configured.

example: with 0 configuration present, how would the AWS SDK discover a configuration to use the identity center configuration?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanFitzSimmonsAK RyanFitzSimmonsAK

Labels
bug This issue is a confirmed bug. credentials documentation This is a problem with documentation. p3 This is a minor priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RyanFitzSimmonsAK @liwadman