internal/ini - failure to parse some credentials

[ktravis]

Because a / character is valid in the AWS Secret Access Key value encoding, sometimes the returned value can have two leading forward slashes. This causes the value to be parsed by the new internal/ini parser (introduced by #2210) to be interpreted as a comma, and return an INIParseError.

Version of AWS SDK for Go?

v1.15.65, issue was introduced in v1.15.59.

Version of Go (go version)?

go version go1.11 darwin/amd64

What issue did you see?

When loading shared credentials (everything default)

SharedConfigLoadError: failed to load config file, ~/.aws/credentials
caused by: INIParseError: invalid state with ASTKind { {4 NONE 0 [61]} true [{expr {1 STRING 0 [97 119 115 95 115 101 99 114 101 116 95 97 99 99 101 115 115 95 107 101 121]} true []}]} and TokenType {7 NONE 0 [47 47 ... ]}

Interpreting the printed values, it is clear that the parser was in the midst of parsing an assignment with the LHS being aws_secret_access_key, then encountered a "comment" token when looking for the RHS of the expression (note that the raw value of the token begins with bytes [47 47], aka "//".

Steps to reproduce

Set a profile in $HOME/.aws/credentials with an aws_secret_access_key value that begins with //, i.e.:

[myprofile]
aws_access_key_id = ASIA0123456789012345
aws_secret_access_key = //01234567890123456789001234567890+abcdefg

package main

import (
	"github.com/aws/aws-sdk-go/aws/credentials"
)

func main() {
	creds := &credentials.SharedCredentialsProvider{
		Profile: "myprofile",
	}
	if _, err := creds.Retrieve(); err != nil {
		panic(err)
	}
}

Since the new ini package is internal, I can't import it in a test here directly - however, this test mimics the use case that initially triggered the bug.

[xibz]

Hello @ktravis, thank you for reporting this. You can mitigate this for now by putting " around the credentials until we get #2240 merged.

[ktravis]

Awesome, thank you for the quick response!

[xibz]

@ktravis - We just merged in #2240. Please let us know if you have any other issues!

[jritsema]

Hi. Just a heads up that this is still impacting us. We use https://github.com/turnerlabs/samlkeygen which populates our credentials file with temporary keys. For example:

[account1:admin]
aws_access_key_id = REDACTED
aws_secret_access_key = REDACTED
aws_session_token = REDACTED
aws_security_token = REDACTED
last_updated = 2018-11-02T13:48:32Z
expiration = 2018-11-02T22:48:32Z

[jasdel]

@jritsema thanks for letting us know about this issue. we'll add this to a test case and work to fix the issue from there.

[xibz]

Hello @jritsema, I believe this has already been fixed, #2247, but hasn't been released yet. Please try using HEAD to see if you are still running into the issue. If you are not, the next release should contain the fix. I am going to go ahead and close the issue. If you are still having issues, please let us know and we will reopen.

[jritsema]

I verified that HEAD looks like it fixes it. Thanks @xibz @jasdel!

[sbalasa]

How to fix this issue ? I still hit it in:

% terraform --version
Terraform v1.0.2
on darwin_amd64

% aws --version
aws-cli/1.19.108 Python/3.9.6 Darwin/20.3.0 botocore/1.20.108