Add support for loading shared config

[jeskew]

This PR adds support for loading configuration from ~/.aws/config, including credentials, the default region to use, and role assumption metadata. This is an opt-in feature and will only take effect if the AWS_SDK_LOAD_CONFIG environment variable is set to something truthy.

I also added support for some configuration environment variables that we do not currently support, namely AWS_SHARED_CREDENTIALS_FILE and AWS_CONFIG_FILE, both of which will only be used if AWS_SDK_LOAD_CONFIG is set.

This should resolve #1196 as well (via AWS_SHARED_CREDENTIALS_FILE).

Resolves #1296
Resolves #1039
Resolves #993

[coveralls]

Coverage decreased (-0.02%) to 90.382% when pulling 3e73060 on jeskew:jans510-Add-AWS_CREDENTIAL_PROFILES_FILE-Environment-Variable into cd6f728 on aws:master.

[alsmola]

Anything holding back a merge here? This functionality would be really useful for compatibility with other SDKs.

[chrisradek]

Since this is private, you could treat this as a regular module instead of hanging the class on AWS. Then you won't have to do the side-effects require in node_loader.js.

[chrisradek]

Could you still get this.filename from creds.filename instead? It might still be useful to have the filename in the message, especially now that we will be looking at credentials and config.

[chrisradek]

I believe we're actually supposed to check the credentials file for region, then the config file, similar to the CLI/boto.

[chrisradek]

Should we grab defaultProfile from AWS.util.defaultProfile instead?

[chrisradek]

Can we add a test to make sure the credentials from ~/.aws/credentials is used preferentially over the credentials in ~/.aws/config if the same profile exists in both files?

[jeskew]

I'll add a test for that.

[chrisradek]

One thing I'm not clear on, does the following scenario work:

• profile in credentials file contains a roleArn and source profile
• source profile is read from config file

[jeskew]

I had to force push due to a merge conflict in AWS.util. The last commit add the ability to assume a role for a profile defined in ~/.aws/credentials even if the source profile is defined ~/.aws/config and vice versa.

[codecov-io]

Codecov Report

Merging #1391 into master will decrease coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1391      +/-   ##
==========================================
- Coverage   95.35%   95.34%   -0.02%     
==========================================
  Files         176      177       +1     
  Lines        6222     6270      +48     
  Branches     1278     1293      +15     
==========================================
+ Hits         5933     5978      +45     
- Misses        289      292       +3

Impacted Files	Coverage Δ
lib/util.js	93.33% <ø> (ø)	⬆️
lib/shared_ini.js	100% <100%> (ø)
lib/node_loader.js	85.71% <100%> (-11.73%)	⬇️
lib/credentials/shared_ini_file_credentials.js	98.59% <100%> (+4.38%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 55a8f68...7528c83. Read the comment docs.

[chrisradek]

This mock can probably be removed.

[chrisradek]

Extra statement :)

[chrisradek]

I'm not sure this test is actually ensuring that the creds from profile foo are used instead of default.

What do you think about spying on AWS.STS or AWS.Credentials to get the accessKeyId that was used as the source?

[chrisradek]

Extra statement.

[et304383]

Am I to understand that the SDK currently doesn't support ~/.aws at all? Or just doesn't support using assumed roles through the ~/.aws entries, which has only recently been added to PHP and worked a while in Python?

[chrisradek]

@eric-tucker
The SDK currently sources credentials using ~/.aws/credentials by default. It actually can use assumed roles if they are defined in the credentials file. This change also allows ~/.aws/config to be used when sourcing credentials, since most of the other SDKs support this now as well.

[chrisradek]

Nit: Can we either use var i here, or declare var i at the top of the function? Just worried if we someday change i in the for loop above, then this i becomes a global.

[chrisradek]

[dotchev]

Why not load ~/.aws/confi by default as AWS CLI does?

[chrisradek]

@dotchev
We can't do that until we make a major version bump, because this could lead to the SDK loading different credentials without any code changes in consuming code. We do plan on loading ~/.aws/config by default like the CLI does when we do a major bump, but I can't give a timeline on when that will be.

[lucleray]

Hi,

This page is still confusing : https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-region.html#setting-region-config-file.

"The SDK for JavaScript automatically searches for a config file when it loads."

I understand here that I need to set AWS_SDK_LOAD_CONFIG to something truthy to get that behavior. Is this documented somewhere ?

[jeskew]

The AWS_SDK_LOAD_CONFIG environment variable is only documented on that page in the "Order of Precedence for Setting the Region" section. I'll try to get the "Using a Shared Config File" section updated to reflect this.

[lucleray]

Thanks!

[villasv]

@chrisradek any update on the version bump? Having this inconsistency for over a year is enough justification for a major release IMHO

[rezarajabii]

It would have been nice if you could add an example of using this feature. I am having issues of using assume role with JS.

[ctmlr]

This seems to be missing support for the mfa_serial option.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.