Fork me on GitHub
#holy-lambda
<
2022-04-22
>
Volodymyr Vizovskyy13:04:19

Hey, everyone! I'm super thrilled about the holy-lambda's architecture, and I'm loving the simplicity of the setup. However, for some reason, it's not picking up my AWS credentials. This is what I mean:

$ env | grep AWS
AWS_REGION=eu-west-1
AWS_ACCOUNT_ID=REDACTED
AWS_PROFILE=my-profile

$ aws sts get-caller-identity
{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX:botocore-session-1650633544",
    "Account": "REDACTED",
    "Arn": "arn:aws:sts::REDACTED:assumed-role/my-profile/botocore-session-1650633544"
}

$ bb tasks
The following tasks are available:

[holy-lambda] AWS configuration check failed. Unable to get value from the profile: my-profile
Did you run command: aws configure?
what may I be missing?

Volodymyr Vizovskyy13:04:20

ok, I think I know what's the issue is. https://github.com/FieryCod/holy-lambda/blob/master/modules/holy-lambda-babashka-tasks/src/holy_lambda/tasks.clj#L389 you try to read "aws_access_key_id" from my ~/.aws/credentials, and fail to do so in case the profile didn't contain one - which is the exact case of the role-based profiles, such as this one:

[my-profile]
role_arn = arn:aws:iam::REDACTED:role/my-role
source_profile = my-main-profile
region = eu-west-1
So, basically, holy-lambda doesn't support role-based profiles?

Karol Wójcik14:04:21

Oh. You’re setting the env variables instead of having a profile.

Karol Wójcik14:04:54

Yeah. It doesn’t at least for now.

Karol Wójcik14:04:15

PR with the support for this is more than welcome.

🙌 1
Karol Wójcik14:04:45

FYI: you can also disable checking of AWS credentials. https://fierycod.github.io/holy-lambda/#/cli?id=cli-paths

Karol Wójcik14:04:06

The only issue in this case will be that generating native configuration may not work as expected.

Volodymyr Vizovskyy14:04:52

aha - thank you 😅 because, for now - I don't care; I'd like to get my lambda to work first. Will work on the whole deployment part later. Also > you're setting the env variables not exactly; in my ~/.aws/credintials I've got one "main" profile with the key/secret for the organization root account, and then lots of roles that can access the organization unit accounts. The joys of having one account per product! 😅