AWS role based access is not working

[jazz-mobility]

Bug Report

Our company uses AWS azure based login (SSO) and we are using AWS named profiles.
CMD tool for AWS login - https://github.com/sportradar/aws-azure-login
After a successful login, it creates the credentials with temporary access token and configs, in .aws folder.
Whenever I am running rome upload/download I am getting this error -

Error: could not download Alamofire : The AWS Access Key Id you provided does not exist in our records.
Error: could not download Alamofire.dSYM : The AWS Access Key Id you provided does not exist in our records.

Generated AWS Credential file sample

[myprofile]
aws_access_key_id=[someKey]
aws_secret_access_key=[someSecretKey]
aws_session_token=[temporaryToken]
aws_expiration=2020-01-15T17:19:01.000Z

Generated AWS config file sample

[profile myprofile]
azure_tenant_id=[someID]
azure_app_id_uri=[samlURL]
azure_default_username=[myCompanyEmail]
azure_default_role_arn=[RoleARN]
azure_default_duration_hours=12
azure_default_remember_me=true

Steps which explain the enhancement or reproduce the bug

1. Create role-based access in AWS without source profile with temporary access token
2. Try rome upload

Current behavior

Rome is not reading the temporary session token

Suggested behavior

Should work fine as AWS role-based access is common practice in companies.

Rome version:

[0.23.1.61 - Romam uno die non fuisse conditam.]

OS and version:

[macOS Catalina,  Version 10.15.2]

[tmspzz]

@jazz-mobility thanks for reporting. Session tokens are not currently supported.

You have 3 options:

1. wait
2. use STS
3. implement your own engine

[tmspzz]

Not sure what these keys prefixed with azure are, but they don't seem to be compatible with AWS to me. Escalation via role_arn should work.

[jazz-mobility]

@tmspzz We are using STS with session tokens. I added role_arn and got this error.
The AWS Access Key Id you provided does not exist in our records.

[tmspzz]

The support for STS is detailed in #175 and implemented in #179

here is the current implementation:

Rome/src/Lib.hs

Lines 89 to 150 in 5ba4eec

	getAWSEnv :: (MonadIO m, MonadCatch m) => ExceptT String m AWS.Env
	getAWSEnv = do
	region <- discoverRegion
	endpointURL <- runMaybeT . exceptToMaybeT $ discoverEndpoint
	profile <- T.pack . fromMaybe "default" <$> liftIO
	(lookupEnv (T.unpack "AWS_PROFILE"))
	credentials <-
	runExceptT $ (AWS.credentialsFromFile =<< getAWSCredentialsFilePath) `catch` \(e :: IOError) -> ExceptT . return . Left . show $ e
	config <-
	runExceptT $ (AWS.configFromFile =<< getAWSConfigFilePath) `catch` \(e :: IOError) -> ExceptT . return . Left . show $ e
	(auth, _) <-
	AWS.catching AWS._MissingEnvError AWS.fromEnv $ \envError -> either
	throwError
	(\cred -> do
	let finalProfile = fromMaybe
	profile
	(eitherToMaybe $ AWS.sourceProfileOf profile =<< config)
	let
	authAndRegion =
	(,)
	<$> mapLeft
	(\e ->
	T.unpack envError
	++ ". "
	++ e
	++ " in file ~/.aws/credentials"
	)
	(AWS.authFromCredentilas finalProfile =<< credentials)
	<*> pure (pure region)
	liftEither authAndRegion
	)
	credentials
	manager <- liftIO (Conduit.newManager Conduit.tlsManagerSettings)
	ref <- liftIO (newIORef Nothing)
	let roleARN = eitherToMaybe $ AWS.roleARNOf profile =<< config
	let currentEnv = AWS.Env region
	(\_ _ -> pure ())
	(AWS.retryConnectionFailure 3)
	mempty
	manager
	ref
	auth
	case roleARN of
	Just role -> newEnvFromRole role currentEnv
	Nothing -> return
	$ AWS.configure (maybe S3.s3 s3EndpointOverride endpointURL) currentEnv
	newEnvFromRole :: MonadIO m => T.Text -> AWS.Env -> ExceptT String m AWS.Env
	newEnvFromRole roleARN currentEnv = do
	assumeRoleResult <-
	liftIO
	$ AWS.runResourceT
	. AWS.runAWS currentEnv
	$ AWS.send
	$ STS.assumeRole roleARN "rome-cache-operation"
	let maybeAuth = AWS.Auth <$> assumeRoleResult ^. STS.arrsCredentials
	case maybeAuth of
	Nothing ->
	throwError
	$ "Could not create AWS Auth from STS response: "
	++ show assumeRoleResult
	Just newAuth -> return $ currentEnv & AWS.envAuth .~ newAuth

I think this is the problem:

Rome/src/Network/AWS/Utils.hs

Lines 68 to 78 in 10e7a05

	authFromCredentilas :: T.Text -> CredentialsFile -> Either String AWS.Auth
	authFromCredentilas profile credentials = AWS.Auth <$> authEnv
	where
	accessKeyId = T.encodeUtf8 <$> accessKeyIdOf profile credentials
	secretAccessKey = T.encodeUtf8 <$> secretAccessKeyOf profile credentials
	authEnv =
	AWS.AuthEnv
	<$> (AWS.AccessKey <$> accessKeyId)
	<*> (AWS.Sensitive . AWS.SecretKey <$> secretAccessKey)
	<*> pure Nothing
	<*> pure Nothing

The current implementation gets the token and expiration from the STS response, not from file

[tmspzz]

@jazz-mobility please try https://github.com/tmspzz/Rome/releases/tag/v23.2.63

[jazz-mobility]

Thanks for the quick fix @tmspzz, this is fixed now. 🎉

[jazz-mobility]

@tmspzz Waiting for the final release to roll out this amazing tool in our iOS team. :)

[tmspzz]

@jazz-mobility the release is out on homebrew, coming up asap on cocoapods

[tmspzz]

https://github.com/tmspzz/Rome/releases/tag/v0.23.2.63 is now out on both homebrew and cocoapods