Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InstanceProfile credentials provider causing open_basedir restriction error since 3.297.0 #2887

Closed
mensler opened this issue Feb 26, 2024 · 2 comments
Closed

InstanceProfile credentials provider causing open_basedir restriction error since 3.297.0 #2887

mensler opened this issue Feb 26, 2024 · 2 comments
Assignees
@yenfryherrerafeliz
Labels
bug This issue is a bug. investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 This is a standard priority issue

Comments

@mensler
Copy link

mensler commented Feb 26, 2024

Describe the bug

With version 3.297.0 of the SDK the custom endpoint for IMDS was introduced in the InstanceProfileProvider.
It calls ConfigurationResolver::resolve() with the option use_aws_shared_config_files set to true, which causes an ErrorException because of the open_basedir setting.

Expected Behavior

The config option use_aws_shared_config_files should not be set to true, but reflect the client setting instead, so no error is thrown because of open_basedir restrictions.

Current Behavior

ErrorException: is_readable(): open_basedir restriction in effect. File(/usr/share/httpd/.aws/config) is not within the allowed path(s): (/var/www/:/tmp/:/usr/share/GeoIP/)
#38 [internal](0): is_readable
#37 /vendor/aws/aws-sdk-php/src/Configuration/ConfigurationResolver.php(111): Aws\Configuration\ConfigurationResolver::ini
#36 /vendor/aws/aws-sdk-php/src/Configuration/ConfigurationResolver.php(47): Aws\Configuration\ConfigurationResolver::resolve
#35 /vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php(368): Aws\Credentials\InstanceProfileProvider::resolveEndpoint
#34 /vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php(252): Aws\Credentials\InstanceProfileProvider::request
#33 /vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php(107): Aws\Credentials\InstanceProfileProvider::Aws\Credentials\{closure}
#32 [internal](0): Generator::current
#31 /vendor/guzzlehttp/promises/src/Coroutine.php(71): GuzzleHttp\Promise\Coroutine::__construct
#30 /vendor/guzzlehttp/promises/src/Coroutine.php(86): GuzzleHttp\Promise\Coroutine::of
#29 /vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php(101): Aws\Credentials\InstanceProfileProvider::__invoke
#28 /vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php(214): Aws\Credentials\CredentialProvider::Aws\Credentials\{closure}

Reproduction Steps

  • Restrict open_basedir in php.ini with excluded Apache working directory.
  • Example code to trigger the error:
$CredentialsProvider = CredentialProvider::memoize(CredentialProvider::instanceProfile());
$credentials = call_user_func($CredentialsProvider)->wait();

Possible Solution

No response

Additional Information/Context

No response

SDK version used

3.299.1

Environment details (Version of PHP (php -v)? OS name and version, etc.)

PHP 8.2, Amazon Linux 2
@mensler mensler added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 26, 2024
@yenfryherrerafeliz yenfryherrerafeliz self-assigned this Feb 26, 2024
@yenfryherrerafeliz yenfryherrerafeliz added p2 This is a standard priority issue investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Feb 26, 2024
This was referenced Feb 29, 2024
Closed
Merged
@stobrien89
Copy link
Member

Hi @mensler,

This should be fixed by #2894, which will be available in today's release. Please let us know if you're still having issues!

@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yenfryherrerafeliz yenfryherrerafeliz

Labels
bug This issue is a bug. investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mensler @yenfryherrerafeliz @stobrien89