"eb deploy" does not consider environment variables since 3.14.11

0

Hi everyone!

We got problems with our continuous deployment and it seems to be related to the new release. We got the following output:

$ eb use XXX
WARNING: Git is in a detached head state. Using branch "default".
WARNING: Git is in a detached head state. Using branch "default".
ERROR: CredentialsError - Operation Denied. You appear to have no credentials

The build was running with environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY set.

These variables are expected to override any configuration as documented here:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

Seems to be a bug, doesn't it?

Cheers,

Christopher

asked 5 years ago887 views
5 Answers
0
Accepted Answer

Thanks for your response, and for sharing further details with me, Christopher.

  1. The bug you are experiencing introduced in 3.14.11 was unintended. We were trying to fix another credential-related problem (where the --profile argument wasn't respected in the presence of env. vars.). I apologize that it has caused your CI system to fail.

  2. The EBCLI's behaviour is to use the value for profile present in .elasticbeanstalk/config.yml even if environment variables for the same are available. During (and only during) eb init, this gets set to eb-cli by the EBCLI if a --profile is not explicitly passed. This subsequently gets set in .elasticbeanstalk/config.yml as the global profile for subsequent use (for instance, during eb use).

  3. The fix for the bug should be that the EBCLI not create a eb-cli credential pair when env. vars. for the access ID and secret key are available during eb init. This change shouldn't be a problem, however, it needs to be thought through before being committed to and made.

  4. Notwithstanding 3., for the time being, if you intend on using EBCLI 3.14.11, you can bypass the bug by setting the value for profile in .elasticbeanstalk/config.yml to null after eb init. Is eb init something you need to perform time and again on Gitlab-CI? If not, the manual change to .elasticbeanstalk/config.yml should be a one-time thing and hence feasible, even though I wish you didn't have to do it.

Thanks,
Rahul.

AWS
answered 5 years ago
0

Hi christopher-cp ,

I am curious to know if you are continuing to see the problem. I am unable to reproduce the problem. Specifically, I have been able to verify that:

  1. The --profile argument takes precedence over everything else
  2. The environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY take precedence over everything else except --profile (that is, eb use --profile PROFILE` will disregard the env. vars.)

I am curious to know what eb use --debugboto shows you? Which profile exactly do you see requests being attempted with? You can determine this through a find operation inside the terminal on the substring "AKIA".

Thanks,
Rahul.

AWS
answered 5 years ago
0

Hi Rahul,

thanks for your message!

Let me show you our deploy script (we use Gitlab-CI) first:

    - pip install awsebcli
    - mkdir -p ~/.aws
    - echo '[profile eb-cli]' >> ~/.aws/config
    # bug start: due to a bug introduced in awsebcli 3.14.11
    - echo "aws_access_key_id = $AWS_ACCESS_KEY_ID" >> ~/.aws/config
    - echo "aws_secret_access_key = $AWS_SECRET_ACCESS_KEY" >> ~/.aws/config
    # bug end
    - eb use XXX
    - eb deploy

As you can see we don't use the "--profile" flag. But: there is a profile name in ".elasticbeanstalk/config.yml" (key: "global.profile"). I guess this must also be the reason why we need to create a ".aws/config". Does the property have the highest priority? Is it handled like "--profile"?

Cheers,

Christopher

answered 5 years ago
0

Thanks Rahul for looking into this! :)

answered 5 years ago
0

Hi Christopher,

We've released the fix in 3.14.13. Let me know if the upgrade works.

Thanks,
Rahul.

AWS
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions