Description:
Description:
When using util.exportTable with s3BucketName, mysqlsh requires a AWS access key and secret key to be present in '/home/ec2-user/.aws/config' or '/home/ec2-user/.aws/credentials'. Should they not be configured the following error is returned:
Util.exportTable: Argument #3: The 'aws_access_key_id' setting for the profile 'default' was not found in neither '/home/ec2-user/.aws/config' nor '/home/ec2-user/.aws/credentials' files. (RuntimeError)
Issue:
While adding access keys to the config file can be done it is best practice to use temporary credentials or roles. This reduces the risk of storing creds permanently on the system.
How to repeat:
Assign role or set creds as Linux env vars using EXPORT instead of using `aws configure`
1. Set creds as env var (cacn be a IAM role or temp cred either)
$ export AWS_ACCESS_KEY_ID=MYACCESSKEY
$ export AWS_SECRET_ACCESS_KEY=MYSECRETACCESSKEY
2. verify no creds:
$ ls .aws/
config
$ cat .aws/config
[default]
output = json
region = us-east-1
3. verify role/temp creds are active:
$ aws sts get-caller-identity
{
"Account": "123456789",
"UserId": "MYACCESSKEY",
"Arn": "arn:aws:iam::123456789:user/dumperprofileUser"
}
4. Attempt to dump to s3, will get err as creds are not set in config file.
MySQL mydb:3306 ssl JS > util.exportTable("sysbench.sbtest1", "dbtest1.tsv", {"s3BucketName": "my-s3-bucket"})
Util.exportTable: Argument #3: The 'aws_access_key_id' setting for the profile 'default' was not found in neither '/home/ec2-user/.aws/config' nor '/home/ec2-user/.aws/credentials' files. (RuntimeError)
Suggested fix:
In addition to '/home/ec2-user/.aws/config' or '/home/ec2-user/.aws/credentials' can the shell also accept roles, env vars or roles? This way users have the flexibility to configure access keys OR use roles/temp credentials.
In addition to checking the above files you can use the getCallerIdentity API call to verify if a role or access key is assigned. It should also work when creds are in the files above.
e.g.
When role is attached:
$ aws sts get-caller-identity --profile default
{
"Account": "123456789",
"UserId": "blahblahblahuniq:i-00000100000000",
"Arn": "arn:aws:sts::123456789:assumed-role/myEc2InstanceRole/i-00000100000000"
}
When creds are provided in file or and env vars:
$ aws sts get-caller-identity --profile default
{
"Account": "123456789",
"UserId": "MYACCESSKEY",
"Arn": "arn:aws:iam::123456789:user/s3dumpIAMUSER"
}
FOR NON-DEFAULT PROFILE:
$ aws sts get-caller-identity --profile dumperprofile
{
"Account": "123456789",
"UserId": "MYACCESSKEY",
"Arn": "arn:aws:iam::123456789:user/dumperprofileUser"
}
Docs:
https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html