Bug #108495 mysqlsh S3 utilitiy validation does not accept temp creds/roles
Submitted: 15 Sep 2022 14:35 Modified: 5 Dec 2022 10:44
Reporter: Marc Reilly Email Updates:
Status: Closed Impact on me:
None 
Category:Shell Dump & Load Severity:S3 (Non-critical)
Version:8.0.30 OS:Any
Assigned to: CPU Architecture:Any
Tags: aws, Best practices, mysql shell, s3

[15 Sep 2022 14:35] Marc Reilly 
Description:
Description:
When using util.exportTable with s3BucketName, mysqlsh requires a AWS access key and secret key to be present in '/home/ec2-user/.aws/config' or '/home/ec2-user/.aws/credentials'. Should they not be configured the following error is returned:

Util.exportTable: Argument #3: The 'aws_access_key_id' setting for the profile 'default' was not found in neither '/home/ec2-user/.aws/config' nor '/home/ec2-user/.aws/credentials' files. (RuntimeError)

Issue:
While adding access keys to the config file can be done it is best practice to use temporary credentials or roles. This reduces the risk of storing creds permanently on the system.

How to repeat:
Assign role or set creds as Linux env vars using EXPORT instead of using `aws configure`
1. Set creds as env var (cacn be a IAM role or temp cred either)
$ export AWS_ACCESS_KEY_ID=MYACCESSKEY
$ export AWS_SECRET_ACCESS_KEY=MYSECRETACCESSKEY

2. verify no creds:
$ ls .aws/
config
$ cat .aws/config
[default]
output = json
region = us-east-1

3. verify role/temp creds are active:
$ aws sts get-caller-identity
{
    "Account": "123456789",
    "UserId": "MYACCESSKEY",
    "Arn": "arn:aws:iam::123456789:user/dumperprofileUser"
}

4. Attempt to dump to s3, will get err as creds are not set in config file.
 MySQL  mydb:3306 ssl  JS > util.exportTable("sysbench.sbtest1", "dbtest1.tsv", {"s3BucketName": "my-s3-bucket"})
Util.exportTable: Argument #3: The 'aws_access_key_id' setting for the profile 'default' was not found in neither '/home/ec2-user/.aws/config' nor '/home/ec2-user/.aws/credentials' files. (RuntimeError)

Suggested fix:
In addition to '/home/ec2-user/.aws/config' or '/home/ec2-user/.aws/credentials' can the shell also accept roles, env vars or roles? This way users have the flexibility to configure access keys OR use roles/temp credentials.

In addition to checking the above files you can use the getCallerIdentity API call to verify if a role or access key is assigned. It should also work when creds are in the files above.

e.g.
When role is attached:
$ aws sts get-caller-identity --profile default
{
    "Account": "123456789",
    "UserId": "blahblahblahuniq:i-00000100000000",
    "Arn": "arn:aws:sts::123456789:assumed-role/myEc2InstanceRole/i-00000100000000"
}

When creds are provided in file or and env vars:
$ aws sts get-caller-identity --profile default
{
    "Account": "123456789",
    "UserId": "MYACCESSKEY",
    "Arn": "arn:aws:iam::123456789:user/s3dumpIAMUSER"
}

FOR NON-DEFAULT PROFILE:
$ aws sts get-caller-identity --profile dumperprofile
{
    "Account": "123456789",
    "UserId": "MYACCESSKEY",
    "Arn": "arn:aws:iam::123456789:user/dumperprofileUser"
}

Docs:
https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
[5 Dec 2022 10:44] Edward Gilmore 
Posted by developer:
 
Added the following note to the MySQL Shell 8.0.32 release notes:

It is now possible to configure MySQL Shell's AWS S3 support with AWS environment variables. For more
information, see S3-compatible Storage
(https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-cloud-service-configuration.html#...).

The command line option s3Region was added to the dump and load utilities. This option enables you to define the 
AWS region from the command line. For more information, see MySQL Shell Utilities
(https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-utilities.html).