fix: issue with aws credentials not being passed in correctly #1266
+44
−22
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Findings: When assuming an IAM role, it’s required by the AWS credentials chain to supply the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, as well as AWS_SESSION_TOKEN. Previously, we did not pass the AWS_SESSION_TOKEN into the credentials chain. I updated the code to do so. Additionally, fix another issue with AWS_PROFILE and SSO. There is now separate logic for when AWS_PROFILE is passed in that will use the credentials chain to grab the SSO token from disk (not available in WASM).
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
There was a problem hiding this comment.
👍 Looks good to me! Reviewed everything up to bf6fc64 in 13 seconds
More details
- Looked at
150lines of code in3files - Skipped
0files when reviewing. - Skipped posting
1drafted comments based on config settings.
1. integ-tests/python/pyproject.toml:23
- Draft comment:
Thepatchelfdependency was removed, but this change is not mentioned in the PR description. Ensure that this removal is intentional and won't affect the build or tests. - Reason this comment was not posted:
Comment did not seem useful.
Workflow ID: wflow_3s2dnsisE8SqGCOR
You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue
Lendflow caught a bug where they were getting the error
The security token included in the request is invalidwhen calling the baml client functions within the playground as well as their local environment while trying to use an assumed role. They were setting theAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYbut did not have the ability to also setAWS_SESSION_TOKENwhich is required in the aws credentials chain.Root cause and fix
When assuming an IAM role, it’s required by the AWS credentials chain to supply the
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, as well asAWS_SESSION_TOKEN. Previously, we did not pass theAWS_SESSION_TOKENinto the credentials chain. I updated the code to do so.Additionally, I fixed another issue with
AWS_PROFILEand SSO. There is now separate logic for whenAWS_PROFILEis passed in that will use the credentials chain to grab the SSO token from disk (not available in WASM).Important
Fixes AWS credentials issue by including
AWS_SESSION_TOKENand handlingAWS_PROFILEfor SSO.AWS_SESSION_TOKENin credentials chain inaws_bedrock.rsandaws_client.rs.AWS_PROFILEfor SSO inaws_client.rs.UnresolvedAwsBedrockandResolvedAwsBedrockstructs inaws_bedrock.rsto includesession_tokenandprofile.AwsClient::client_anyhow()inaws_client.rsto set credentials provider withsession_token.patchelfdependency frompyproject.toml.This description was created by
for bf6fc64. It will automatically update as commits are pushed.