Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Credential should be scoped to a valid region, not 'aws-global'

See original GitHub issue

Long story short, I’m trying to migrate a project from software.amazon.awssdk:bom:2.0.0-preview-12 to software.amazon.awssdk:bom:2.2.0 and the approach for picking up credentials, that used to work, now ends up failing with SdkClientException, which is caused by Credential should be scoped to a valid region, not 'aws-global' in the AwsCredentialsProviderChain.

Context

We are using aws-okta to generate .aws/config / .aws/credentials, and it used to be enough to set AWS_PROFILE environment variable, to allow the application to pick up the credentials. The application in question is only using S3 client.

Current Behavior

In 2.2.0 (and looks like this behavior started from 2.0.0-preview-13) it’s now mandatory to provide region in the .aws/config, and it does not matter if it’s going to be a totally different region from the one where our S3 buckets are in. If region is not set on the profile, the following exception is thrown by the client:

Exception in thread "main" software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), ProfileCredentialsProvider(profileName=..., profileFile=ProfileFile(profiles=[Profile(name=..., properties=[role_name, source_profile, role_arn]), Profile(name=..., properties=[role_name, source_profile, role_arn]), Profile(name=default, properties=[output, aws_access_key_id, aws_session_token, aws_secret_access_key])])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., ProfileCredentialsProvider(profileName=...., profileFile=ProfileFile(profiles=[Profile(name=..., properties=[role_name, source_profile, role_arn]), Profile(name=..., properties=[role_name, source_profile, role_arn]), Profile(name=default, properties=[output, aws_access_key_id, aws_session_token, aws_secret_access_key])])): Credential should be scoped to a valid region, not 'aws-global'.  (Service: Sts, Status Code: 403, Request ID: ...), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Unable to load credentials from service endpoint.]
	at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:97)
	at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:112)
	at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:92)
	at software.amazon.awssdk.awscore.client.handler.AwsClientHandlerUtils.createExecutionContext(AwsClientHandlerUtils.java:70)
	at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.createExecutionContext(AwsSyncClientHandler.java:68)
	at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:54)
	at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:51)
	at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:62)
	at software.amazon.awssdk.services.s3.DefaultS3Client.getObject(DefaultS3Client.java:1597)
	at software.amazon.awssdk.services.s3.S3Client.getObject(S3Client.java:2292)
...

Expected Behavior

I would expect the SDK to work the same way as aws-cli does. (E.g. I can call run aws s3 ls --profile=... s3://... without needing to specify the region).

Your Environment

  • Java(TM) SE Runtime Environment (build 1.8.0_191-b12)

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:5 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
millemscommented, Jan 3, 2019

A fix has been made and will go out with the next release.

0reactions
millemscommented, Jan 21, 2019

Great to hear it! Thanks for the confirmation.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Credential should be scoped to a valid region, not 'us-west-1 ...
My account is in the us-west-1 region (signature region) whereas I am trying to connect to an endpoint in us-west-2, so I set...
Read more >
Credential should be scoped to a valid region error
I created an IAM user with admin permissions and API access and configured the access key in Eclipse. It can see the name...
Read more >
Credential should be scoped to a valid region, not 'us-west-1 ...
It simply looks like you can't use one region with endpoint of another region.
Read more >
AWS-IAM authentication Region error - Google Groups
<Message>Credential should be scoped to a valid region, not 'us-west-2'. ... It's global in the sense that credentials issued by IAM and STS...
Read more >
Resolve the IAM Error "AWS was not able to validate the ...
I assumed an AWS Identity and Access Management (IAM) role and my API call returned an error similar to the following:.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Async response handler creates a new thread for every request on small instances

Next page

DynamoDB Local