holy-lambda

Volodymyr Vizovskyy 2022-04-22T13:22:19.632819Z

Hey, everyone! I'm super thrilled about the holy-lambda's architecture, and I'm loving the simplicity of the setup. However, for some reason, it's not picking up my AWS credentials. This is what I mean:

$ env | grep AWS
AWS_REGION=eu-west-1
AWS_ACCOUNT_ID=REDACTED
AWS_PROFILE=my-profile

$ aws sts get-caller-identity
{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX:botocore-session-1650633544",
    "Account": "REDACTED",
    "Arn": "arn:aws:sts::REDACTED:assumed-role/my-profile/botocore-session-1650633544"
}

$ bb tasks
The following tasks are available:

[holy-lambda] AWS configuration check failed. Unable to get value from the profile: my-profile
Did you run command: aws configure?
what may I be missing?

Volodymyr Vizovskyy 2022-04-22T13:33:20.229069Z

ok, I think I know what's the issue is. https://github.com/FieryCod/holy-lambda/blob/master/modules/holy-lambda-babashka-tasks/src/holy_lambda/tasks.clj#L389 you try to read "aws_access_key_id" from my ~/.aws/credentials, and fail to do so in case the profile didn't contain one - which is the exact case of the role-based profiles, such as this one:

[my-profile]
role_arn = arn:aws:iam::REDACTED:role/my-role
source_profile = my-main-profile
region = eu-west-1
So, basically, holy-lambda doesn't support role-based profiles?

Karol Wójcik 2022-04-22T14:02:21.795489Z

Oh. You’re setting the env variables instead of having a profile.

Karol Wójcik 2022-04-22T14:02:54.285889Z

Yeah. It doesn’t at least for now.

Karol Wójcik 2022-04-22T14:03:15.142379Z

PR with the support for this is more than welcome.

🙌 1
Karol Wójcik 2022-04-22T14:12:45.446769Z

FYI: you can also disable checking of AWS credentials. https://fierycod.github.io/holy-lambda/#/cli?id=cli-paths

Karol Wójcik 2022-04-22T14:14:06.530639Z

The only issue in this case will be that generating native configuration may not work as expected.

Volodymyr Vizovskyy 2022-04-22T14:15:52.806089Z

aha - thank you 😅 because, for now - I don't care; I'd like to get my lambda to work first. Will work on the whole deployment part later. Also > you're setting the env variables not exactly; in my ~/.aws/credintials I've got one "main" profile with the key/secret for the organization root account, and then lots of roles that can access the organization unit accounts. The joys of having one account per product! 😅