By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to load credentials from system settings. Lambda with snapStartp Enabled

0

Good morning, I have a problem with a lambda function that, when I enable snapStart, doesn't read the AWS configuration variables. The error message is: 'Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).' However, it works fine with snapStart set to 'none'.

Topics
ServerlessCompute
Tags
AWS LambdaAWS Lambda Snapstart
Language
English
vijarte
asked 5 months ago444 views
2 Answers
1
Accepted Answer

Hi,

When SnapStart is activated, the Java runtime automatically uses the container credentials (AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN) instead of the access key environment variables. Without SnapStart enabled it will use the environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN).

I suspect your code is setting the EnvironmentVariableCredentialsProvider credentials provider explicitly like:

Region region = Region.US_WEST_2;
DynamoDbClient ddb = DynamoDbClient.builder()
      .region(region)
      .credentialsProvider(EnvironmentVariableCredentialsProvider.create())
      .build();

If you remove .credentialsProvider(EnvironmentVariableCredentialsProvider.create()) from the builder, the SDK will find the container credentials correctly when SnapStart is enabled.

More details can be found at: https://docs.aws.amazon.com/lambda/latest/dg/snapstart-activate.html#snapstart-credentials https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html#credentials-default

AWS
Steve
answered 5 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
1

+1 to what Steve has answered

Please be noted that to make AWS SDK calls from your function, Lambda generates an ephemeral set of credentials by assuming your functions execution role. These credentials are available as environment variables during your function’s invocation but when SnapStart in activated, the Java runtime automatically uses the container credentials (AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN) instead of the access key environment variables. This prevents credentials from expiring before the function is restored [1].

Therefore, it is not advisable to rely on only the environment variable credentials provider in the SDK clients when SnapStart is activated.

[+] https://docs.aws.amazon.com/lambda/latest/dg/snapstart-activate.html#snapstart-credentials

AWS
SUPPORT ENGINEER
rePost-User-2673297
answered 5 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content