skip to Main Content

I am getting Partial credentials found in env error while running below command.

aws sts assume-role-with-web-identity –role-arn $AWS_ROLE_ARN –role-session-name build-session –web-identity-token $BITBUCKET_STEP_OIDC_TOKEN –duration-seconds 1000

I am using below AWS CLI and Python version-

aws-cli/2.2.9 Python/3.8.8 Linux/5.4.92-flatcar exe/x86_64.debian.11 prompt/off

I’ve also set AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN in environment variable. Still I’m getting this error. I haven’t configured aws credential ~/.aws/credentials and config file ~/.aws/config as it is not required since I am using web identity token to generate temp credentials.

Below is the bitbucket pipeline step:

- step:
          oidc: true
          name: Build
          image: python:3.7
          script:
            - export AWS_REGION=us-east-2
            - export AWS_ROLE_ARN=arn:aws:iam::XXXXXX:role/bitbucket-pipelines-sso
            - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
            - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
            - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.2.9.zip" -o "awscliv2.zip" && unzip awscliv2.zip
            - ./aws/install -i /usr/local/aws-cli -b /usr/local/bin
            - aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --role-session-name build-session --web-identity-token $BITBUCKET_STEP_OIDC_TOKEN --duration-seconds 1000 >> irp-cred.txt

I’ve seen this, this but no luck.
Can someone help me out?

2

Answers


  1. Chosen as BEST ANSWER

    Ugh... I was struggling for two days and right after posting it on stackoverflow in the end, I thought of clearing ENV variable and it worked. Somehow AWS Keys were being stored in env, not sure how?. I just cleared them by below cmd and it worked :D

    - unset AWS_ACCESS_KEY_ID
    - unset AWS_SECRET_ACCESS_KEY
    

  2. Instead of using the identity token file and unsetting the AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY values, I simply override these values with the ones from the role. Here is an example:

    export creds_json=$(aws sts assume-role-with-web-identity --role-arn $AWS_OIDC_ROLE_ARN --role-session-name build-session --web-identity-token $BITBUCKET_STEP_OIDC_TOKEN --duration-seconds 1000) && echo $creds_json | jq .
    export AWS_ACCESS_KEY_ID=$(echo $creds_json | jq '.Credentials.AccessKeyId' | sed 's/"//g')
    export AWS_SECRET_ACCESS_KEY=$(echo $creds_json | jq '.Credentials.SecretAccessKey' | sed 's/"//g')
    export AWS_SESSION_TOKEN=$(echo $creds_json | jq '.Credentials.SessionToken' | sed 's/"//g')
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search