When role-based authentication is used without sweet_xml installed, AuthCache crashes but error message is not helpful #37
Description
Environment
- Elixir & Erlang versions (elixir --version): Elixir 1.12.3 / OTP 23
- ExAws version
mix deps |grep ex_aws: 2.2.3 - HTTP client version. IE for hackney do
mix deps | grep hackney: 1.17.4
Current behavior
Having sweet_xml installed is required for role based authentication.
Right now, if the user doesn't have sweet_xml installed and they use role based authentication, the AuthCache process crashes because ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter.get_security_credentials/2 raises:
[error] GenServer ExAws.Config.AuthCache terminating
** (KeyError) key :access_key_id not found in: "<AssumeRoleWithWebIdentityResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">
<AssumeRoleWithWebIdentityResult>
<Audience>sts.amazonaws.com</Audience>
<AssumedRoleUser>
<AssumedRoleId>[redacted]</AssumedRoleId>
<Arn>[redacted]</Arn>
</AssumedRoleUser>
<Provider>[redacted]</Provider>
<Credentials>
<AccessKeyId>[redacted]</AccessKeyId>
<SecretAccessKey>[redacted]</SecretAccessKey>
<SessionToken>[redacted]</SessionToken>
<Expiration>[redacted]</Expiration>
</Credentials>
<SubjectFromWebIdentityToken>[redacted]</SubjectFromWebIdentityToken>
</AssumeRoleWithWebIdentityResult>
<ResponseMetadata>
<RequestId>[redacted]</RequestId>
</ResponseMetadata>
</AssumeRoleWithWebIdentityResponse>
". If you are using the dot syntax, such as map.field, make sure the left-hand side of the dot is a map
(ex_aws_sts 2.3.0) lib/ex_aws/sts/auth_cache/assume_role_web_identity_adapter.ex:32: ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter.get_security_credentials/2
(ex_aws 2.4.2) lib/ex_aws/config/auth_cache.ex:83: ExAws.Config.AuthCache.attempt_credentials_refresh/5
(ex_aws 2.4.2) lib/ex_aws/config/auth_cache.ex:73: ExAws.Config.AuthCache.refresh_awscli_config/3
(ex_aws 2.4.2) lib/ex_aws/config/auth_cache.ex:50: ExAws.Config.AuthCache.handle_call/3
(stdlib 3.17.2) gen_server.erl:721: :gen_server.try_handle_call/4
(stdlib 3.17.2) gen_server.erl:750: :gen_server.handle_msg/6
(stdlib 3.17.2) proc_lib.erl:226: :proc_lib.init_p_do_apply/3
Last message (from #PID<0.2246.0>): {:refresh_awscli_config, "default", 30000}
This happens because when sweet_xml is not installed, ExAws.STS.Parsers silently becomes a no-op, returning its input as the output.
AssumeRoleWebIdentityAdapter expects that ExAws.STS.Parsers will transform the XML string to a map. When sweet_xml is not installed, it receives a string and fails with this error message, that is not very useful and is difficult to troubleshoot.
Expected behavior
When sweet_xml is not installed, we could improve the library to crash with a useful error message that helps troubleshooting. This will result in better developer experience.