DefaultCredentialProvider does not work with source_profile to web identity role

[mrusinak]

Describe the bug

For our Jenkins builds, we have AWS config where there is an "agent" profile that uses a web-identity role, and other profiles that assume their own roles based on this source - in particular one is for ECR to get authentication to push built images. When using the CLI we can get an ECR auth-token just fine. But if our Gradle script that includes the Java SDK tries to do the same thing, it errors saying the source profile (aka "agent") does not have permission to do the ECR call.

Manually specifying a ProfileCredentialsProvider, or building WebIdentityTokenFileCredentialsProvider / StsProfileCredentialsProvider chains work as expected.

Expected Behavior

Generically: if the CLI works for an operation, then the equivalent Java SDK should as well.

In this particular case: The DefaultCredentialsProvider should properly resolve authentication when specifying a PROFILE with a RoleARN and SourceProfile, where the SourceProfile has RoleARN and WebIdentityTokenFile

Current Behavior

Trying to do an operation the named/child profile is allowed to do, but the parent/source is not, fails with an error that parent/source is not allowed to do the operation

Reproduction Steps

Note: This example will be for ECR just for concreteness.

Given a .config file that looks like:

[profile agent]
role_arn=arn:aws:iam::12345
web_identity_token_file=/var/run/secrets/identity-token

[profile ecr]
role_arn=arn:aws:iam::67890
source_profile=agent

And setting AWS_PROFILE=ecr, then the following Java code will fail:

private static AuthorizationData getEcrAuthToken() {
    EcrClient ecrClient = EcrClient.builder().build()
    
    try {
        return ecrClient.getAuthorizationToken().authorizationData().get(0)
    }
    finally {
        ecrClient.close()
    }
}

...with an error like:

User: arn:aws:sts::12345/aws-sdk-java-0000 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action (Service: Ecr, Status Code: 400, Request ID: xxxxx)

Possible Solution

As a workaround, since we know we are using profiles, building the client with:

builder().credentialsProvider(ProfileCredentialsProvider.builder().build())

makes it work.

Additional Information/Context

No response

AWS Java SDK version used

2.17.209

JDK version used

11.0.6

Operating System and version

openjdk:11-jdk-stretch

[mrusinak]

Quick update: I have also tried with SDK version 2.17.233 and the problem exists there too

[yasminetalby]

Hello @mrusinak ,

Thank you very much for your submission.
I have transfer this to aws-sdk-java-v2 as the issue arise with AWS Java SDK version 2.17.209 and 2.17.233.
We are currently investigating this and will keep you updated.

Best regards,

Yasmine.

[yasminetalby]

Hello @mrusinak ,

Could you please provide reproducing steps for the CLI?

Thank you for your collaboration.
Best,

Yasmine

[mrusinak]

Apologies, been a busy week and time got away from me. An example of the command line would be:

aws ecr get-authorization-token --profile ecr

[yasminetalby]

Hello @mrusinak ,

Thank you very much for providing this additional information as well as your submission.
The bug has been added to our backlog.

Best,

Yasmine

[joshua-kim]

You would probably want to block on #3270 since even if you did get this fixed you'd be putting yourself risk of OOMs because of a known memory leak bug surrounding WebIdentityTokenFileCredentialsProvider where the underlying credentials provider isn't ever closed.