aws sts credentials not created? #120
Description
I am using the AWS sts assume role feature of duckdb. I am trying to use this connection information:
install aws;
load aws;
SET s3_region = 'us-west-2';
CREATE SECRET (
TYPE s3,
PROVIDER credential_chain,
CHAIN sts,
PROFILE '<core profile name>',
ASSUME_ROLE_ARN 'arn:aws:iam::<accountid>:role/<assumed role name>',
REGION 'us-west-2'
);
with the angled brackets filled in with real values from this command line call (which correctly creates temporary creds):
aws sts assume-role --role-arn arn:aws:iam::<accountid>:role/<assumed role name> --role-session-name duckdb --profile <core profile name>
The AWS CLI correctly creates short-lived credentials for access. I can access DuckDB using these credentials, but I'd like to use the AWS STS assume role, rather than manually updating creds every hour.
DuckDB returns the following:
Invalid Configuration Error:
Secret Validation Failure: during `generate` using the following:
Profile: '<core profile name>'
Credential Chain: 'sts'
Role-arn: 'arn:aws:iam::<account id>:role/<assumed role name>'
My credentials file has STS entries for <core profile name> which are generated from our SSO tool (Okta), then we use those to assume roles in various environments (dev, stg, prod).
Does this sts feature work for anyone else? Am I doing something wrong? How do I debug this connection?
I have searched the web and docs extensively.
- https://duckdb.org/docs/stable/core_extensions/aws
- https://duckdb.org/docs/stable/core_extensions/iceberg/amazon_sagemaker_lakehouse#connecting-to-amazon-sagemaker-lakehouse-aws-glue
What am I missing?
I did check