Aim role vs { CredentialsError: Missing credentials in config

Alright, im at a loss here.

im using serverless w/ aws

everything seems fine when i host local
cross-env deploy_channel='development' projectId='foo' serverless offline start

but when i run
serverless deploy

and i check cloudwatch logs, i get:

{ CredentialsError: Missing credentials in config
at Object.openSync (fs.js:443:3)
at Object.readFileSync (fs.js:343:35)
at Object.readFileSync (/var/runtime/node_modules/aws-sdk/lib/util.js:95:26)
at IniLoader.parseFile (/var/runtime/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:6:47)
at IniLoader.loadFrom (/var/runtime/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
at SharedIniFileCredentials.load (/var/runtime/node_modules/aws-sdk/lib/credentials/shared_ini_file_credentials.js:104:41)
at SharedIniFileCredentials.coalesceRefresh (/var/runtime/node_modules/aws-sdk/lib/credentials.js:205:12)
at SharedIniFileCredentials.refresh (/var/runtime/node_modules/aws-sdk/lib/credentials/shared_ini_file_credentials.js:185:10)
at SharedIniFileCredentials.get (/var/runtime/node_modules/aws-sdk/lib/credentials.js:122:12)
at getAsyncCredentials (/var/runtime/node_modules/aws-sdk/lib/config.js:361:24)
message: 'Missing credentials in config',
errno: -2,
syscall: 'open',
code: 'CredentialsError',
path: '/home/sbx_user1080/.aws/credentials',
time: 2019-09-20T02:36:00.842Z,
originalError:
{ message: 'Could not load credentials from SharedIniFileCredentials',
errno: -2,
syscall: 'open',
code: 'CredentialsError',
path: '/home/sbx_user1080/.aws/credentials',
time: 2019-09-20T02:36:00.842Z,
originalError:
{ errno: -2,
syscall: 'open',
code: 'ENOENT',
path: '/home/sbx_user1080/.aws/credentials',
message:
'ENOENT: no such file or directory, open \'/home/sbx_user1080/.aws/credentials\'' } } }

My understanding is that the lambdas should have an IAM user assigned to them at deploy time, and i see that user assigned to them

image1102×280 18.3 KB

I’ve tried a narrow row and an expansive admin type role, neither seem to work

According to what feels like common sense and the thread here:

that feels like it should be enough, but apparently it’s not.

so i’ve tried numerous way to export the keys to the system env at deploy time, and while deploy goes smooth, it still gives me the same error when the functions are invoked while hosted in AWS.

The code is erroring as i attempt to run a function to retrieve some secrets from secrets manager…
return new Promise(async (resolve, reject) => {
// Use this code snippet in your app.
// If you need more information about configurations or implementing the sample code, visit the AWS docs:
// https://aws.amazon.com/developers/getting-started/nodejs/

    // Create a Secrets Manager client
    console.log('----->region:', region);
    console.log('<---------------> marker 333 <--------------->');
    var client = new AWS.SecretsManager();
    console.log('<---------------> marker 4444 <--------------->');

    // Load the AWS SDK
    let secret;
    let decodedBinarySecret;

    // In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
    // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
    // We rethrow the exception by default.
    await client.getSecretValue({SecretId: secretName}, function (err, data) {
        console.log('<---------------> marker 55555 <--------------->');
        if (err) {
            if (err.code === 'DecryptionFailureException') {
                // Secrets Manager can't decrypt the protected secret text using the provided KMS key.
                // Deal with the exception here, and/or rethrow at your discretion.
                reject(err);
            } else if (err.code === 'InternalServiceErrorException') {
                // An error occurred on the server side.
                // Deal with the exception here, and/or rethrow at your discretion.
                throw err;
            } else if (err.code === 'InvalidParameterException') {
                // You provided an invalid value for a parameter.
                // Deal with the exception here, and/or rethrow at your discretion.
                throw err;
            } else if (err.code === 'InvalidRequestException') {
                // You provided a parameter value that is not valid for the current state of the resource.
                // Deal with the exception here, and/or rethrow at your discretion.
                throw err;
            } else if (err.code === 'ResourceNotFoundException') {
                // We can't find the resource that you asked for.
                // Deal with the exception here, and/or rethrow at your discretion.
                throw err;
            }
        } else {
            // Decrypts secret using the associated KMS CMK.
            // Depending on whether the secret is a string or binary, one of these fields will be populamasted.
            if ('SecretString' in data) {
                resolve(JSON.parse(data.SecretString));
            } else {
                const buff = new Buffer(data.SecretBinary, 'base64');
                decodedBinarySecret = buff.toString('ascii');
                resolve({decodedBinarySecret, secret});
            }
        }
    });
});

The lions share of the code is written by the aws crew themselves, and it works when i host local, so it should be quality. However, when deployed It never gets to marker 5. Feels really weird that the lambda would spin up, with and iam role that has full admin access, run until this point, then fail.

Any thoughts?

Found the issue.

At some point in my old code that i had used to populate a large amount of data to a red shift cluster, i called credentials.update or some such nonsense. Apparently credentials.update is enough to make sls start looking for a credentials file on its running file system, despite it being run entirely from aws lambda by way of rest calls blah blah blah.

Still have 1 more issue im trying to work out, but hopefully i wont have to bother ya’ll on the forums with it.