[gdal-dev] errors using IAM instance profile auth in s3

michael.smith.erdc at gmail.com michael.smith.erdc at gmail.com
Sat Nov 19 06:35:44 PST 2022 

 curl http://169.254.169.254/latest/meta-data/iam/security-credentials/iam-grid-s3
{
  "Code" : "Success",
  "LastUpdated" : "2022-11-19T14:30:52Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "xxxxxxxxxxxxxxxxxxx",
  "SecretAccessKey" : "xxxxxxxxxxxxxxxxx/1ssuwVLuUevA",
  "Token" : "xxxxxxxxxz6ZANvixZ/Qhohaj8vlEORbiS12Wy0viYSL+mtg+SODus9XagS8uSovjDnFfM+a2iqP71TklhI5q18xhOFySsZCVT8RUXvgu9GlhyJrKFkvqgJXkd5qq0kAry8j6y5vRFn50Pvf/Ox/7tI0FYnYK5WUlk5AnT8+jurcHtHmpfOKNJfhCxxvwMh3Gfgbv+CaKeEnd/1ob3JURxgmOEllc8kmFj5ouixIkG7+tt2bXWCXlWof5zps+usJ4vaqdkbNSy4W8kzV4/c0OB5FGgpuZIFdQ7lleRDkis6wgixBcDWw/I95ivnL2VGyuv1r/ZsPMaWhi/JjET+spokZLmT9GGDawiZAmrdaz7BqnpoXKGq6XllO7uGCYFCvdBkSkRY90YDKzmgxEHrZ9hC09GmZy4jrCXKvuygILzSmnisNZaZw1CyNglXjx1C0ZGOnmxv6OOdWCaLRz0ps7wx8kZR5GeGwUcy6pLipQFr8DGJ2a8lv7StRGUJxND5rUoq8suZlhEI8LQ20APB4LH1Jf4H8smFIlVyTCS0eObBjqoAWYctYsxOeQG57+FFrQf0iTHpHS15Fx1LB7SJ2y99CYU63DRgJGWmKAN7oSCqbYkparZXlNAToLBiAYSezFAYCZtByavWXxsFwmqhG5SYbIWHmMlKhtEanFZUtNRpbEUD66XmwqO7h4GgY45s8iBrBou8d65UfnAULjcmfzLQvn/XSLylgOjv2qYKnm9crbqtSmaHovtiiyt7kTnLFxh+7ey6xbGan0owA==",
  "Expiration" : "2022-11-19T20:37:09Z"
}

I didn’t see anything odd in there but a json parsing issue would explain it. 

Mike

> On Nov 19, 2022, at 9:26 AM, Even Rouault <even.rouault at spatialys.com> wrote:
> 
> Hi Mike,
> 
> could you send the output of
> 
> curl http://169.254.169.254/latest/meta-data/iam/security-credentials/iam-grid-s3
> 
> Slightly redacted of course, but with the exact formatting. This part of thee code currently uses a "simple JSON parser" (https://github.com/OSGeo/gdal/blob/c61d116a469821b769630a112dee7f1a61fed885/port/cpl_aws.cpp#L554), which is actually just a non JSON-aware string tokenizer, and I suspect it could be defeated by a new formatting of S3 or something specific to your credentials.
> 
> It could also be that something unhandled by that parser appears inside quoted strings, like an escaped double quote or some other JSON escaped character (like an escaped forward slash \/ )
> 
> If that was the case we should likely switch to proper JSON deserialization (that part of the code must predate libjson-c being a build requirement of GDAL).
> 
> Even
> 
> 
> -- 
> http://www.spatialys.com
> My software is free, but my time generally not.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20221119/e158cf75/attachment-0001.htm>

More information about the gdal-dev mailing list