Doesn't appear to work with temporary SAML federation credentials #16
Description
In our corporate environment, we gain access to AWS (cli tools and console) via SAML federation of our corporate identities, which are mapped to an IAM role with (in my case) administrator rights.
To use the awscli tool, we auth to an internal web page and choose to generate a temporary set of credentials, which returns export values that we paste into a terminal window before executing whatever cli commands we want to execute:
export AWS_ACCESS_KEY_ID=[redacted]
export AWS_SECRET_ACCESS_KEY=[redacted]
export AWS_SESSION_TOKEN=[redacted]
So the contents of the default profile in our local ~/.aws/config file is just region = us-west-2 (or whatever region we're usually working in). There is no explicit set of IAM credentials, because we don't use direct IAM users, but SAML federation instead.
It appears opzworks doesn't work with this methodology. When I run an opzworks berks command against a stack, it successfully finds the repo, generates a new cookbook tar, etc, but then errors on the "backup" section with a credential error and the cookbook never gets to S3.
Example end of a failed run:
Committing changes and pushing
On branch dev-us-east-1
Your branch is up-to-date with 'origin/dev-us-east-1'.
nothing to commit, working tree clean
Everything up-to-date
Backup
/Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/request_signer.rb:104:in require_credentials': unable to sign request without credentials set (Aws::Errors::MissingCredentialsError) from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_request_signer.rb:14:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/xml/error_handler.rb:8:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_request_signer.rb:65:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_redirects.rb:15:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/retry_errors.rb:88:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_dualstack.rb:32:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_accelerate.rb:49:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_md5s.rb:31:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_expect_100_continue.rb:21:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_bucket_name_restrictions.rb:12:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_bucket_dns.rb:31:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/rest/handler.rb:7:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/user_agent.rb:12:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/plugins/endpoint.rb:41:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/param_validator.rb:21:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/plugins/raise_response_errors.rb:14:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_sse_cpk.rb:19:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_dualstack.rb:24:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/s3_accelerate.rb:34:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/idempotency_token.rb:18:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/aws-sdk-core/plugins/param_converter.rb:20:in call' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/plugins/response_target.rb:21:in call'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/request.rb:70:in send_request' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/aws-sdk-core-2.7.16/lib/seahorse/client/base.rb:207:in block (2 levels) in define_operation_methods'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/lib/opzworks/commands/berks.rb:121:in block in run' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/lib/opzworks/commands/berks.rb:48:in each'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/lib/opzworks/commands/berks.rb:48:in run' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/lib/opzworks/cli.rb:38:in start'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/gems/opzworks-0.12.9/bin/opzworks:10:in <top (required)>' from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/bin/opzworks:22:in load'
from /Users/[UserRedacted]/.chefdk/gem/ruby/2.3.0/bin/opzworks:22:in `
Any ideas how we can get opzworks to work with temporary credentials set with export of the access key, secret key, and token environment variables?