SDK and ChainableTemporaryCredentials

0

Hi, I already posted my problem in:

https://stackoverflow.com/questions/73702466/chainabletemporarycredentials-getpromise-and-missing-credentials-in-config-if-u

Basically it is the following. When I use

    const credentials = new ChainableTemporaryCredentials({
    params: { 
        RoleArn: 'arn:aws:iam::${this.accountId}:role/${this.targetRoleName}',
        RoleSessionName: this.targetRoleName,
    },
    masterCredentials: new WebIdentityCredentials({
    RoleArn: 'arn:aws:iam::<proxyAccountId>:role/<proxyRoleName>',
    RoleSessionName: this.proxyRoleName,
        WebIdentityToken: token,
        }),
    })
    await credentials.getPromise()   

with token a a token received from GCP-cloud do I still need some kind of AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY in my environment? I don't think so, since the idea of the token is to grant access exactly without such credentials. Right? (In the codeblock above I had to manipulate some charaters because the code-template here in the forum had some difficulties withe original 1:1 code...)

At runtime I get always an error message:

Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

I think I have not to use AWS_CONFIG_FILE: My application runs in GCP and just want access AWS via STS.

My token looks good so far as I would assess:

    {
        "aud": <here my email address of the service account in GCP>,
        "azp": "21 digit number",
        "email": <same email as under "aud">,
        "email_verified": true,
        "exp": <10 digit number>,
        "iat": <10 digit number>,
        "iss": "https://accounts.google.com",
        "sub": "<same number as under azp>"
    }

Are my expectations wrong? What is the reason for the error message?

Best regards Thomas

2 Answers
0

Maybe a stacktrace is helpfull. stacktrace

Exception is triggered by the await credentials.getPromise() call.

answered 2 months ago
0

Solved it. Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1 was totally misleading. In reality it was a problem with the field-names in the GCP-JWT-token und the policy in aws. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_aud

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions