MissingAuthenticationTokenException received when trying to get a secret using SecretManager using AWS_PROFILE, but works when doing the same operation with aws cli

[chreniuc]

Describe the bug

I receive MissingAuthenticationTokenException when trying to get a secret using the SDK(by passing the AWS_PROFILE env), but when using the aws cli, I receive the secret(so this is not a rights issue). Why does this happen? Am I doing something wrong?

Expected Behavior

To receive the secret

Current Behavior

I receive this error:

HTTP response code: 400
Resolved remote host IP address: 52.16.54.217
Request ID: bee39fc2-b461-4075-adbd-c3b3d233e9d9
Exception name: MissingAuthenticationTokenException
Error message: Missing Authentication Token
5 response headers:
connection : close
content-length : 89
content-type : application/x-amz-json-1.1
date : Wed, 29 Mar 2023 10:11:28 GMT
x-amzn-requestid : bee39fc2-b461-4075-adbd-c3b3d233e9d9

Reproduction Steps

I'm using SKD 1.8.9 and I compiled the example for getting a secret using secretManager. I only added support for ssl certificates in the code(using openssl).

After compiling the code, I ran the executable like this:

export AWS_PROFILE=PROFILE_NAME_PLACEHOLDER
export AWS_SDK_LOG_LEVEL=6
export SSL_CERT_DIR=/etc/ssl/certs
aws_test SECRET_NAME_PLACEHOLDER

But this returned the following response(I attached the whole logs below):

HTTP response code: 400
Resolved remote host IP address: 52.16.54.217
Request ID: bee39fc2-b461-4075-adbd-c3b3d233e9d9
Exception name: MissingAuthenticationTokenException
Error message: Missing Authentication Token
5 response headers:
connection : close
content-length : 89
content-type : application/x-amz-json-1.1
date : Wed, 29 Mar 2023 10:11:28 GMT
x-amzn-requestid : bee39fc2-b461-4075-adbd-c3b3d233e9d9

I also noticed that it tries to get a token by accessing the http://169.254.169.254/latest/api/token(which timeouts, because it's not accessible from outside), but it does that because it says that it failed to find credentials for that profile(the interesting thing, is that if I run the aws cli, it retrieves the secret, check below)

[ERROR] 2023-03-29 10:11:26.488 ProcessCredentialsProvider [140282429679424] Failed to find credential process's profile: PROFILE_NAME_PLACEHOLDER

[TRACE] 2023-03-29 10:11:26.488 EC2MetadataClient [140282429679424] Calling EC2MetadataService to get token
[TRACE] 2023-03-29 10:11:26.488 EC2MetadataClient [140282429679424] Retrieving credentials from http://169.254.169.254/latest/api/token
[TRACE] 2023-03-29 10:11:26.488 CurlHttpClient [140282429679424] Making request to http://169.254.169.254/latest/api/token

But if I run the same operation using aws cli(which uses boto3), I receive the secret:

export AWS_PROFILE=PROFILE_NAME_PLACEHOLDER
aws secretsmanager get-secret-value   --secret-id SECRET_NAME_PLACEHOLDER --debug

$ aws --version
aws-cli/1.22.34 Python/3.10.6 Linux/5.19.0-35-generic botocore/1.29.36

My ~/.aws/config looks like this:

[default]
role_arn = arn:aws:iam::ID1_MASKED:role/cross-account-dev
source_profile = default
region = eu-west-1
[profile PROFILE_NAME_PLACEHOLDER]
role_arn = arn:aws:iam::ID1_MASKED:role/cross-account-dev
source_profile = default
region = eu-west-1
[profile profile2]
role_arn = arn:aws:iam::ID2_MASKED:role/cross-account-dev
source_profile = default
[profile profile3]
role_arn = arn:aws:iam::ID3_MASKED:role/cross-account-dev
source_profile = default

My ~/.aws/credentials contains this:

[default]
#aws_access_key_id = commented
#aws_secret_access_key = commented
#[default]
aws_access_key_id = AWS_ACCESS_KEY_MASKED
aws_secret_access_key = AWS_SECRET_ACCESS_KEY_MASKED

github_aws_sdk_2023-03-29-10.log

main.cpp

Possible Solution

No response

Additional Information/Context

No response

AWS CPP SDK version used

1.8.9

Compiler and Version used

gcc 9.5.0

Operating System and version

Ubuntu 22.04.1 LTS

[marius-nicolae]

I'm experiencing the same issue, as well. It reproduces even with la latest SDK version (1.11.53).

Until a proper fix, there is any workaround?

[michaelt32m]

I'm having the same problem on Ubuntu 18.04, gcc 7.5.0, AWS CPP CDK 1.11. I've yet to find a workaround.

[marius-nicolae]

As a workaround, I've retrieved the role ARN from the AWS profile, using Aws::Config::AWSConfigFileProfileConfigLoader and with it and an Aws::STS::STSClient I've created an Aws::Auth::STSAssumeRoleCredentialsProvider object, from which the AWS credentials can be retrieved, through the GetAWSCredentials method.

I think another method is to retrieve the role ARN from the AWS profile, as described above, and call the AssumeRole of an Aws::STS::STSClient object. Then, an Aws::Auth::AWSCredentials object can be built from res.GetResult().GetCredentials().GetAccessKeyId(), res.GetResult().GetCredentials().GetSecretAccessKey() and res.GetResult().GetCredentials().GetSessionToken() calls, where the res is the AssumeRole method return object.

[jpedrick]

I am also seeing this error with pyarrow:

import pyarrow._s3fs
pyarrow._s3fs.initialize_s3(pyarrow._s3fs.S3LogLevel.Trace)

import pyarrow.fs
s3_fs = pyarrow.fs.S3FileSystem()

...
[DEBUG] 2023-05-12 21:09:32.904 Aws::Config::ConfigFileProfileFSM [140237186401216] Found credential_process <redacted>
[INFO] 2023-05-12 21:09:32.904 Aws::Config::AWSProfileConfigLoaderBase [140237186401216] Successfully reloaded configuration.
[TRACE] 2023-05-12 21:09:32.904 Aws::Config::AWSProfileConfigLoaderBase [140237186401216] reloaded config at 2023-05-12T21:09:32Z
[INFO] 2023-05-12 21:09:32.904 ProcessCredentialsProvider [140237186401216] Failed to find credential process's profile: default

[danisharif11]

Is there any update on this issue, I'm getting the same error MissingAuthenticationTokenException with ListQueues SDK call, when getting response through Postman on main call