configure-aws-credentials@v4 fails to create ~/.aws/credentials file

[ICeZer0]

Describe the bug

aws-actions/configure-aws-credentials@v4 fails to create ~/.aws/credentials within the GitHub actions workflow container.

I discovered this bug while troubleshooting an issue with boto3 botocore.exceptions.ProfileNotFound: The config profile (default) could not be found"

  - name: Configure AWS Credentials v4
    uses: aws-actions/configure-aws-credentials@v4
    with:
      aws-region: us-west-2
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

I double-checked this error by attempting to print the profile using awk

Expected Behavior

This should create the following files ~/.aws/credentials and ~/.aws/config

Current Behavior

No folder exists

Reproduction Steps

Create a github action with the following step

  - name: Configure AWS Credentials v4
    uses: aws-actions/configure-aws-credentials@v4
    with:
      aws-region: us-west-2
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Run the following command to check for the folder

  - name: Print aws profile names
    run: |
      awk -F '[][]' '/^\[/{print $2}' ~/.aws/credentials

Pipeline error: awk: fatal: cannot open file `/home/runner/.aws/credentials' for reading: No such file or directory

Possible Solution

No response

Additional Information/Context

Using aws configure fixes this issue

  - name: Add profile credentials to ~/.aws/
    run: |
      pip install boto3
      aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} --profile default
      aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} --profile default
      aws configure set region us-west-2 --profile default

[tim-finnigan]

Hi @ICeZer0 thanks for reaching out. I think something like this captures what you're trying to do, can you confirm?

on: push

jobs:
  auth-with-account:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    steps:
      - name: Configure AWS Credentials v4
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-west-2
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Add profile
        run: |
          mkdir -p ~/.aws
          echo "[default]" > ~/.aws/credentials
          echo "aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}" >> ~/.aws/credentials
          echo "aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> ~/.aws/credentials  
              
      - name: Print aws profile names
        run: |
          awk -F '[][]' '/^\[/{print $2}' ~/.aws/credentials

      - name: Test credentials
        run: |
          aws s3 ls

[ICeZer0]

@tim-finnigan Yes! Since you added the region, you can also echo .aws/config

[ICeZer0]

Hi @ICeZer0 thanks for reaching out. I think something like this captures what you're trying to do, can you confirm?

on: push



jobs:

  auth-with-account:

    runs-on: ubuntu-latest

    permissions:

      id-token: write

      contents: read



    steps:

      - name: Configure AWS Credentials v4

        uses: aws-actions/configure-aws-credentials@v4

        with:

          aws-region: us-west-2

          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}

          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}



      - name: Add profile

        run: |

          mkdir -p ~/.aws

          echo "[default]" > ~/.aws/credentials

          echo "aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}" >> ~/.aws/credentials

          echo "aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> ~/.aws/credentials  

              

      - name: Print aws profile names

        run: |

          awk -F '[][]' '/^\[/{print $2}' ~/.aws/credentials



      - name: Test credentials

        run: |

          aws s3 ls

Taking a second look, do you need the "add profile" job? My understanding is that configure-AWS-credentials will automatically create the default profile.

[kellertk]

All this action does is export environment variables. Basically, we're using the credentials you provide us to request temporary credentials from STS, and then exporting those credentials in to the environment. This is so later on, when your application goes through the standard credential resolution flow, it can pick up the session credential.

You mentioned Python, so I'll link to the boto3 documentation on the credential resolution flow:
https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html

Environment variables are number 3 in that list, so if there are environment variables that exist, they will be picked up before the SDK even tries to look at the configuration files. This action doesn't attempt to create configuration files at all. If you need the configuration files for some reason, you would need to do that yourself, which is the example that @tim-finnigan linked earlier.

Since this isn't something that we've ever supported in the action, I'm going to close this issue. If it's something that you need, you can follow @tim-finnigan's example above.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.