Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default credentials provider chain documentation doesn't look right #4347

Open
liwadman opened this issue Nov 13, 2024 · 2 comments
Open

Default credentials provider chain documentation doesn't look right #4347

liwadman opened this issue Nov 13, 2024 · 2 comments
Assignees
@RyanFitzSimmonsAK
Labels
bug This issue is a confirmed bug. credentials documentation This is a problem with documentation. p3 This is a minor priority issue response-requested Waiting on additional information or feedback.

Comments

@liwadman
Copy link

Describe the issue

The default search list doesn't look right based on the botocore code I reviewed, and doesn't quite make sense. e.g. the sso provider would only be brought in if a profile in any location used an sso profile, and the sdk wouldn't do a specific search on existing config files for sso providers. As well the assume role provider is the implimentation of the config files e.g. the assume role provider is what's used with the relevant settings of a config file and the default profile within it.

Passing credentials as parameters in the boto3.client() method

Passing credentials as parameters when creating a Session object

Environment variables

Assume role provider

Assume role with web identity provider

AWS IAM Identity Center credential provider

Shared credential file (~/.aws/credentials)

AWS config file (~/.aws/config)

Boto2 config file (/etc/boto.cfg and ~/.boto)

Instance metadata service on an Amazon EC2 instance that has an IAM role configured.

Links

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html
@liwadman liwadman added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Nov 13, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this Nov 14, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK added investigating This issue is being investigated and/or work is in progress to resolve the issue. credentials p3 This is a minor priority issue bug This issue is a confirmed bug. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 14, 2024
@RyanFitzSimmonsAK
Copy link
Contributor

Hi @liwadman, thanks for reaching out. Could you clarify how you think the credentials precedence documentation should be changed? It sounds like you want the SSO provider and assume role provider removed because they are defined in the config file, is that correct?

@RyanFitzSimmonsAK RyanFitzSimmonsAK added response-requested Waiting on additional information or feedback. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Dec 3, 2024
@liwadman
Copy link
Author

There is no possible known location to search for credentials for providers like the AssumeRole and AWS IAM Identity Center credential provider. These can only be defined in profiles.

So the search order is really more like:

1)hard coded credentials
2)env vars
3)the default profile, or profile specified by environment variables
4)Web identity token file
5)container provider
6) IMDS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanFitzSimmonsAK RyanFitzSimmonsAK

Labels
bug This issue is a confirmed bug. credentials documentation This is a problem with documentation. p3 This is a minor priority issue response-requested Waiting on additional information or feedback.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RyanFitzSimmonsAK @liwadman