Not a bug AWS credentials

Jim Boy

Jim Boy

Well-known member
Affected version
2.2.7
If you do not set credentials in src/config.php, a stack trace is generated:
Code: 
b>Fatal error</b>:  Uncaught Error: Unknown named parameter $instance in /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:74
Stack trace:
#0 /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php(74): call_user_func_array('self::chain', Array)
#1 /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/ClientResolver.php(260): Aws\Credentials\CredentialProvider::defaultProvider(Array)
#2 /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/AwsClient.php(161): Aws\ClientResolver-&gt;resolve(Array, Object(Aws\HandlerList))
#3 /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/S3/S3Client.php(263): Aws\AwsClient-&gt;__construct(Array)
#4 /sites/bigfooty/forum/src/config.php(28): Aws\S3\S3Client-&gt;__construct(Array)
#5 /sites/bigfooty/forum/src/config.php(36): XF\App-&gt;{closure}()
#6 /sites/bigfooty/forum/src/XF/FsMounts.php(19): XF\App-&gt;{closure}()
#7 /sites/bigfooty/forum/src/XF/App.php(1100): XF\FsMounts::loadDefaultMounts(Array)
#8 /sites/bigfooty/forum/src/XF/Container.php(30): XF\App-&gt;XF\{closure}(Object(XF\Container))
#9 /sites/bigfooty/forum/src/XF/App.php(2585): XF\Container-&gt;offsetGet('fs')
#10 /sites/bigfooty/forum/src/XF.php(932): XF\App-&gt;fs()
#11 /sites/bigfooty/forum/src/XF/Util/File.php(740): XF::fs()
#12 /sites/bigfooty/forum/src/XF/Error.php(102): XF\Util\File::installLockExists()
#13 /sites/bigfooty/forum/src/XF/App.php(2356): XF\Error-&gt;logException(Object(Error), true, '')
#14 /sites/bigfooty/forum/src/XF.php(196): XF\App-&gt;logException(Object(Error), true)
#15 [internal function]: XF::handleException(Object(Error))
#16 {main}
  thrown in <b>/sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php</b> on line <b>74</b><br />
<br />
<b>Fatal error</b>:  Uncaught Error: Unknown named parameter $instance in /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:74
Stack trace:
#0 /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php(74): call_user_func_array('self::chain', Array)
#1 /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/ClientResolver.php(260): Aws\Credentials\CredentialProvider::defaultProvider(Array)
#2 /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/AwsClient.php(161): Aws\ClientResolver-&gt;resolve(Array, Object(Aws\HandlerList))
#3 /sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/S3/S3Client.php(263): Aws\AwsClient-&gt;__construct(Array)
#4 /sites/bigfooty/forum/src/config.php(28): Aws\S3\S3Client-&gt;__construct(Array)
#5 /sites/bigfooty/forum/src/config.php(36): XF\App-&gt;{closure}()
#6 /sites/bigfooty/forum/src/XF/FsMounts.php(19): XF\App-&gt;{closure}()
#7 /sites/bigfooty/forum/src/XF/App.php(1100): XF\FsMounts::loadDefaultMounts(Array)
#8 /sites/bigfooty/forum/src/XF/Container.php(30): XF\App-&gt;XF\{closure}(Object(XF\Container))
#9 /sites/bigfooty/forum/src/XF/App.php(2585): XF\Container-&gt;offsetGet('fs')
#10 /sites/bigfooty/forum/src/XF.php(932): XF\App-&gt;fs()
#11 /sites/bigfooty/forum/src/XF/Util/File.php(740): XF::fs()
#12 /sites/bigfooty/forum/src/XF/Error.php(102): XF\Util\File::installLockExists()
#13 /sites/bigfooty/forum/src/XF/App.php(2356): XF\Error-&gt;logException(Object(ErrorException), true, '')
#14 /sites/bigfooty/forum/src/XF.php(236): XF\App-&gt;logException(Object(ErrorException), true)
#15 [internal function]: XF::handleFatalError()
#16 {main}
  thrown in <b>/sites/bigfooty/forum/src/addons/XFAws/_vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php</b> on line <b>74</b><br />
ie doing
Code: 
$s3 = function () {
   return new \Aws\S3\S3Client(['region' => 'us-west-2', 'version' => 'latest', 'endpoint' => 'https://s3.us-west-2.amazonaws.com']);
};
instead of
Code: 
$s3 = function () {
      return new \Aws\S3\S3Client(['credentials' => ['key' => '[APIKEY]', 'secret' => '[APISECRET'], 'region' => 'us-west-2', 'version' => 'latest', 'endpoint' => 'https://s3.us-west-2.amazonaws.com' ]);
};
XF uses Flysystem S3Client which does not require username and secret. see https://flysystem.thephpleague.com/v1/docs/adapter/aws-s3-v3/
OK, maybe not strictly a bug, but getting users to create IAM users and record login credentials instead of using roles is extremely bad security and definitely not in line with AWS best practise
 
I’m not entirely sure this is under our control.

Purportedly you are passing valid values into the Flysystem adapter but it is the AWS SDK itself which seems to be falling over.

XF itself is not involved in the requirements of either the Flysystem adapter or the AWS SDK. As long as you are configuring the adapter in a valid way and your environment is set up in such a way that authentication is taking place via some alternative approach that doesn’t require a key or secret then it should work. If it doesn’t work then that would be an issue with your configuration or with the AWS library itself.

If you become certain that your environment configuration is correct it may be worth posting in the S3 resource for further support. If the AWS SDK is out of date then we can perhaps ship an updated copy within that add-on. Otherwise this would be a support issue for that library itself, which you can find on GitHub.
 
Chris D said:
XF itself is not involved in the requirements of either the Flysystem adapter or the AWS SDK.
Click to expand...
Updating libraries is in your control - you're using a version of the aws sdk that was released in November 2018 (3.71.6). A lot has changed in that time in that library, including a lot of security bugs. Its now gotten so old and out-of-date that it is pretty much not fit-for-purpose.
 
Chris D said:
If you become certain that your environment configuration is correct it may be worth posting in the S3 resource for further support. If the AWS SDK is out of date then we can perhaps ship an updated copy within that add-on. Otherwise this would be a support issue for that library itself, which you can find on GitHub.
Click to expand...
 
Chris D said:
If you become certain that your environment configuration is correct it may be worth posting in the S3 resource for further support. If the AWS SDK is out of date then we can perhaps ship an updated copy within that add-on.
Click to expand...
My environment is fine, have worked in the AWS space for long enough to know how to set up environments correctly. Doing a manual install of the Flysystem S3 Adaptor pulls in version 3.209.16(edit - of the AWSPHP SDK). You're using a library that is 3+ years old and 140+ versions behind. And that has serious security implications, such the inability for XF to properly handle AWS credentials. And there are functional issues as well, so yes please, ship an up-to-date library, and that should apply for all your bundled third-party libraries. Managing supply-chain vulnerabilities is a tiresome, but an essential task.
 
My point was - and remains to be - merely that this isn’t an issue in the XF code so discussing it in the context of a bug report is not appropriate.

There is a resource here where you downloaded the XFAws add-on and gives the instructions on how to set it up.

That is the most appropriate place to discuss any issues.

Although worth noting that if you check that out you will notice the AWS library was already updated to a much more recent version in November.

Did you skip that upgrade?
 
Mine's running on AWS and I didn't need to run any add-on, so I don't see why that's needed here. It's been rock solid since I set it up months ago (famous last words).

This add-on seems to be causing unnecessary problems.
 
It doesn’t cause problems though? Are you not using the files that are downloadable form the S3 guide and resource in the resource manager too? You kinda need it to be able to interface with Amazon S3. It is an add-on but it supplies a couple of third party libraries to enable it to work.
 

Similar threads

loyalis
Add-on Add-on to save credentials of customers encrypted?
Replies
0
Views
168
loyalis
loyalis
tlghnb
Would you use a Cloud server or webhosting for XenForo?
2
Replies
27
Views
4K
Jim Boy
Jim Boy
mlwebact
  • Locked
Not a bug Xenforo AWS s3 don't work on xenforo v2.2.5
Replies
1
Views
2K
Paul B
Paul B
BubbaLovesCheese
Not a bug AWS S3 address exposed from user's profile avatar
Replies
2
Views
473
briansol
B
P
  • Question Question
XF 2.2 Fresh install. Requirements all ok. Error on Mysql-credentials
Replies
1
Views
617
Paul B
Paul B
Top Bottom