SSO AWS S3 secrets fail to validate for 1.4.X inside container #123
Description
Similar issue to: #108
Observation
When running duckdb==1.4.2 locally the s3 secret credentials validates fine, but when running inside a container with AWS_PROFILE set and ~/.aws mounted the secrets validation fails:
❯ /root/.duckdb/cli/latest/duckdb
DuckDB v1.4.2 (Andium) 68d7555f68
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
D CREATE OR REPLACE SECRET secret (
TYPE s3,
PROVIDER credential_chain
);
Invalid Configuration Error:
Secret Validation Failure: during `create` using the following:
Credential Chain: 'config'Issue
Is there a list of requirements or a way to find out why the validation is failing? I run into this error when I mount the ~/.aws directory into a docker container but not when I am running locally. The emitted error message is unhelpful with diagnosing the underlying issue.
Validation
Running this code inside a container in AWS resolves fine. Running boto3 normally inside the container also resolves the credentials fine. This indicates to me that there is a bug in the validation implementation used by duckdb.
❯ aws sts get-caller-identity
{
"UserId": "<user-id>:<email>",
"Account": "<account-id>",
"Arn": "arn:aws:sts::<account-id>:assumed-role/<assumed-role>/<email>"
}Configuration
~/.aws/config
[profile <profile-name>]
sso_start_url = https://<org-name>.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
sso_account_id = <account-id>
sso_role_name = Platform
region = us-east-1
output = jsonCredentials populated with
aws sso login --profile <profile-name>