Error reading aws config on non-ephemeral runners

[mrmeyers99]

I'm having a problem similar to #17

We're using self hosted runner which are not (unfortunately) ephemeral. I'm getting an error when running this action on a runner that has run this action in the past. Since this action is appending instead of replacing, subsequent runs have duplicates in their files. I can solve this on my end by running rm -f $HOME/actions-runner/_work/_temp/_github_home/.aws/config before using this action, but it would be nice to not have to worry about that.

Here's the error:

Traceback (most recent call last): File "/usr/local/lib/python3.8/site-packages/botocore/configloader.py", line 149, in raw_config_parse cp.read([path]) File "/usr/local/lib/python3.8/configparser.py", line 697, in read self._read(fp, filename) File "/usr/local/lib/python3.8/configparser.py", line 1067, in _read raise DuplicateSectionError(sectname, fpname, configparser.DuplicateSectionError: While reading from '/github/home/.aws/config' [line 5]: section 'profile default' already exists During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/bin/tokendito", line 8, in <module> sys.exit(main()) File "/usr/local/lib/python3.8/site-packages/tokendito/__main__.py", line 25, in main return cli(args) File "/usr/local/lib/python3.8/site-packages/tokendito/tool.py", line 38, in cli assume_role_response, role_name = aws_helpers.select_assumeable_role( File "/usr/local/lib/python3.8/site-packages/tokendito/aws_helpers.py", line 200, in select_assumeable_role assume_role_response = assume_role(role_arn, roles_and_providers[role_arn], saml) File "/usr/local/lib/python3.8/site-packages/tokendito/aws_helpers.py", line 105, in assume_role assume_role_response = handle_assume_role( File "/usr/local/lib/python3.8/site-packages/tokendito/aws_helpers.py", line 123, in handle_assume_role client = boto3.client("sts", config=Config(signature_version=UNSIGNED)) File "/usr/local/lib/python3.8/site-packages/boto3/__init__.py", line 93, in client return _get_default_session().client(*args, **kwargs) File "/usr/local/lib/python3.8/site-packages/boto3/__init__.py", line 81, in _get_default_session setup_default_session() File "/usr/local/lib/python3.8/site-packages/boto3/__init__.py", line 35, in setup_default_session DEFAULT_SESSION = Session(**kwargs) File "/usr/local/lib/python3.8/site-packages/boto3/session.py", line 80, in __init__ self._setup_loader() File "/usr/local/lib/python3.8/site-packages/boto3/session.py", line 120, in _setup_loader self._loader = self._session.get_component('data_loader') File "/usr/local/lib/python3.8/site-packages/botocore/session.py", line 698, in get_component return self._components.get_component(name) File "/usr/local/lib/python3.8/site-packages/botocore/session.py", line 937, in get_component self._components[name] = factory() File "/usr/local/lib/python3.8/site-packages/botocore/session.py", line 158, in <lambda> lambda: create_loader(self.get_config_variable('data_path'))) File "/usr/local/lib/python3.8/site-packages/botocore/session.py", line 251, in get_config_variable return self.get_component('config_store').get_config_variable( File "/usr/local/lib/python3.8/site-packages/botocore/configprovider.py", line 317, in get_config_variable return provider.provide() File "/usr/local/lib/python3.8/site-packages/botocore/configprovider.py", line 414, in provide value = provider.provide() File "/usr/local/lib/python3.8/site-packages/botocore/configprovider.py", line 475, in provide scoped_config = self._session.get_scoped_config() File "/usr/local/lib/python3.8/site-packages/botocore/session.py", line 341, in get_scoped_config profile_map = self._build_profile_map() File "/usr/local/lib/python3.8/site-packages/botocore/session.py", line 237, in _build_profile_map self._profile_map = self.full_config['profiles'] File "/usr/local/lib/python3.8/site-packages/botocore/session.py", line 368, in full_config self._config = botocore.configloader.load_config(config_file) File "/usr/local/lib/python3.8/site-packages/botocore/configloader.py", line 106, in load_config parsed = raw_config_parse(config_filename) File "/usr/local/lib/python3.8/site-packages/botocore/configloader.py", line 151, in raw_config_parse raise botocore.exceptions.ConfigParseError( botocore.exceptions.ConfigParseError: Unable to parse config file: /github/home/.aws/config

[mrchief]

I guess we can delete the file as the last step in entrypoint.sh. Wanna give it try and send a PR?

[mrmeyers99]

I could delete the file, but won't that mess up the ability to switch between profiles which is being added in #17?

[mrchief]

Not right now. We don't use that file as we push to env vars currently.

If you check my last comment, we could try something like writing to /home/runner/work/_temp/_github_home which will persist the file and when that happens, deleting the file will cause the issue.

I think, deleting the file before this action runs could maybe work but then deleting files on the runner feels like a risky move because we're modifying the environment and we're touching files created outside of this action (most likely those files were created by a previous run of this action but we can't be sure of that).

Apart from those, do you have any other ideas about tackling this?

[mrmeyers99]

Could we use the --config-file parameter to tell tokendito to write the creds to a temp file and read them from there?

[mrchief]

Sure. That would be limited to home folder and contingent upon the fact that writing to /home/runner/work/_temp/_github_home actually does persist the file. I like the idea. Mind sending a PR?

[mrmeyers99]

Link to PR: #20

[mrchief]

Fixed in https://github.com/mrchief/aws-creds-okta-action/releases/tag/v1.1.5