Athena 1.93 broken with assumed roles

[jdelStrother]

Describe the bug

With Athena 1.93, trying to perform requests with an assumed role breaks with undefined method 'account_id'.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Requests succeed when using an assumed role

Current Behavior

aws-sdk-athena-1.93.0/lib/aws-sdk-athena/plugins/endpoints.rb:54:in `with_metrics': undefined method `account_id' for #<struct Aws::STS::Types::Credentials access_key_id="xxxx", secret_access_key="yyyyy", expiration=2024-09-23 16:26:58 UTC> (NoMethodError)

          if context.config.credentials&.credentials&.account_id
                                                    ^^^^^^^^^^^^
	from aws-sdk-athena-1.93.0/lib/aws-sdk-athena/plugins/endpoints.rb:43:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/endpoint_discovery.rb:84:in `call'
	from aws-sdk-core-3.207.0/lib/seahorse/client/plugins/endpoint.rb:46:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/param_validator.rb:26:in `call'
	from aws-sdk-core-3.207.0/lib/seahorse/client/plugins/raise_response_errors.rb:16:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/checksum_algorithm.rb:111:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:16:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/invocation_id.rb:16:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'
	from aws-sdk-core-3.207.0/lib/seahorse/client/plugins/request_callback.rb:89:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'
	from aws-sdk-core-3.207.0/lib/seahorse/client/plugins/response_target.rb:24:in `call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/telemetry.rb:39:in `block in call'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/telemetry/no_op.rb:29:in `in_span'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/telemetry.rb:53:in `span_wrapper'
	from aws-sdk-core-3.207.0/lib/aws-sdk-core/plugins/telemetry.rb:39:in `call'
	from aws-sdk-core-3.207.0/lib/seahorse/client/request.rb:72:in `send_request'
	from aws-sdk-athena-1.93.0/lib/aws-sdk-athena/client.rb:3139:in `start_query_execution'
	from aws-role.rb:17:in `<main>'

Reproduction Steps

#!/usr/bin/env ruby
# frozen_string_literal: true

require "bundler/inline"

gemfile do
  source "https://rubygems.org"
  gem "ox"
  gem "aws-sdk-core"
  gem "aws-sdk-athena", "1.93.0"
end

creds = Aws::STS::Client.new.assume_role(
  role_arn: ENV.fetch("ROLE_ARN"),
  role_session_name: "test"
)
pp Aws::Athena::Client.new(credentials: creds).start_query_execution(query_string: "SELECT 1")

run with, eg,

$ AWS_REGION=eu-west-1 \ 
  AWS_ACCESS_KEY_ID=xxx \
  AWS_SECRET_KEY=yyy \ 
  ROLE_ARN=arn:aws:iam::123:role/athena-access \
 ruby aws-role.rb

Possible Solution

No response

Additional Information/Context

This works fine with v1.92 of the aws-sdk-athena gem

Gem name ('aws-sdk', 'aws-sdk-resources' or service gems like 'aws-sdk-s3') and its version

aws-sdk-athena 1.93.0
aws-sdk-core 3.207.0

Environment details (Version of Ruby, OS environment)

ruby 3.2.4

[alextwoods]

We're sorry you've run into that - this looks like a potential regression introduced by accountId endpoints which assumed that the configured credentials were an AWS SDK for Ruby Credentials object, rather than the response returned by clients.

In general, we recommend that you use supported credentials objects - in this case, you can use the AssumeRoleCredentials which will give you automatic refreshing of the credentials as well!

We will investigate a solution as well.

[jdelStrother]

... Yeah, I was about to say that it actually seems ok if I pass an ::Aws::AssumeRoleCredentials rather than the assume_role response.

Thanks for the tip - I'll look into moving to AssumeRoleCredentials everywhere.

[mullermp]

Sorry about this. The credentials option is documented to be a credentials provider type or an Aws::Credentials. It's kind of confusing to distinguish those two things and something we hope to fix in a major version.

[mullermp]

Unless there are more reports of this, I'm inclined not to make a change. We do document already that credentials should be classes from core (credentials provider for example).

[jdelStrother]

That sounds reasonable. I was trying to find out where I got the assume_role workflow from in the first place, but can't find it - it was quite a while back that we first set it up. The current documentation looks good to me.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.