Not so forthcoming/consistent error when aws credentials are not provided in an assume role scenario

[claudijd]

I am running from the brew install version of awscli that points to head on a Mac (installed via brew install awscli --HEAD) as of this morning.

When attempting to verify my AWS credentials (but with my credentials not provided), I get a helpful error...

$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".

However, when trying to do something else with the awscli, I get a rather brief indication of what might be the issue, but it's not very direct...

$ aws --profile INSERT_PROFILE_NAME s3 ls

'aws_access_key_id'

If we run the same command with --debug, we can get the full stack trace...

aws --debug --profile infosec-dev-read s3 ls
2017-08-14 16:29:56,285 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.11.134 Python/2.7.10 Darwin/14.5.0 botocore/1.6.1
2017-08-14 16:29:56,285 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['--debug', '--profile', 'infosec-dev-read', 's3', 'ls']
2017-08-14 16:29:56,285 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x103760578>
2017-08-14 16:29:56,285 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x10341bed8>
2017-08-14 16:29:56,286 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2017-08-14 16:29:56,286 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3: calling handler <function add_waiters at 0x103768668>
2017-08-14 16:29:56,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.s3.anonymous: calling handler <function uri_param at 0x1032b5b18>
2017-08-14 16:29:56,286 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ls: calling handler <function add_waiters at 0x103768668>
2017-08-14 16:29:56,287 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.paths: calling handler <function uri_param at 0x1032b5b18>
2017-08-14 16:29:56,287 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.human-readable: calling handler <function uri_param at 0x1032b5b18>
2017-08-14 16:29:56,287 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10376d650>
2017-08-14 16:29:56,287 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.page-size: calling handler <function uri_param at 0x1032b5b18>
2017-08-14 16:29:56,287 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.anonymous: calling handler <function uri_param at 0x1032b5b18>
2017-08-14 16:29:56,287 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.request-payer: calling handler <function uri_param at 0x1032b5b18>
2017-08-14 16:29:56,287 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.summarize: calling handler <function uri_param at 0x1032b5b18>
2017-08-14 16:29:56,287 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10376d650>
2017-08-14 16:29:56,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2017-08-14 16:29:56,288 - MainThread - botocore.credentials - DEBUG - Retrieving credentials via AssumeRole.
2017-08-14 16:29:56,288 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/awscli/clidriver.py", line 200, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/awscli/customizations/commands.py", line 190, in __call__
    parsed_globals)
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/awscli/customizations/commands.py", line 187, in __call__
    return self._run_main(parsed_args, parsed_globals)
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/awscli/customizations/s3/subcommands.py", line 455, in _run_main
    super(ListCommand, self)._run_main(parsed_args, parsed_globals)
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/awscli/customizations/s3/subcommands.py", line 441, in _run_main
    parsed_globals.verify_ssl)
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/awscli/customizations/s3/subcommands.py", line 434, in get_client
    config=config)
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/botocore/session.py", line 825, in create_client
    credentials = self.get_credentials()
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/botocore/session.py", line 449, in get_credentials
    'credential_provider').load_credentials()
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/botocore/credentials.py", line 1146, in load_credentials
    creds = provider.load()
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/botocore/credentials.py", line 842, in load
    return self._load_creds_via_assume_role()
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/botocore/credentials.py", line 861, in _load_creds_via_assume_role
    creds, response = self._retrieve_temp_credentials()
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/botocore/credentials.py", line 966, in _retrieve_temp_credentials
    client = self._create_client_from_config(config)
  File "/usr/local/Cellar/awscli/HEAD-0be721e/libexec/lib/python2.7/site-packages/botocore/credentials.py", line 957, in _create_client_from_config
    'sts', aws_access_key_id=source_cred_values['aws_access_key_id'],
KeyError: 'aws_access_key_id'
2017-08-14 16:29:56,291 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

'aws_access_key_id'

[joguSD]

I believe this occurs when a profile references a source profile that has no credentials.
The following config can reproduce this:

[profile test]
role_arn = arn
source_profile = base

[profile base]

The error message is definitely not very helpful. I'll see what we can do to improve this.

Blind check is here.

[dschneller]

The same error occurs, if for some reason the credentials file in the .aws folder cannot be read by the current user. It took me a while to figure this out, because the same profiles had worked before. However, when restoring them from a backup, the file ownership was accidentally changed. chowning them back to my user fixed it.

[tim-finnigan]

This appears to be a duplicate of #2060.

When I assumed a role without s3 permissions and attempted the s3 ls command I received this error:
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

And @dschneller issues with credentials file ownership is also captured here: #2565.

I think we should close this and continue any discussion in those open issues.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.