Hey team, Looking at config issues when pushing docker images, I’m wondering about what approach would be most suitable (see https://pantsbuild.slack.com/archives/C046T6T9U/p1642075724264000?thread_ts=1642008872.220800&cid=C046T6T9U)

The easy thing is to set/inherit HOME and be done with it, but is that an OK approach?

something to be aware of: that would work with local execution, but would not work with remote execution.

Because it would mean storing credentials in the remote workers, which is a security risk?

that and just configuring remote machines to have the credentials in the first place

Btw, the process can already access ~/.aws/credentials. Pants can't (currently) stop the process from reaching out to any arbitrary file on the machine. It just throws off relative paths by running in

/tmp

So I don't think you need to do anything new to get ~/.aws/credentials working. You only need to set up

env

appropriately like to get

sh

discoverable

but would not work with remote execution

not sure that would be an issue here, though, as the

publish

processer are run as interactive processes, which implies local, iiuc?

Yeah that's true

Not sure I follow entirely, but FWIW, you would probably set AWS config via env variables when working with remote machines / CI, rather than the config files. E.g.

AWS_ACCESS_KEY

,

AWS_SECRET_ACCESS_KEY

,

AWS_DEFAULT_PROFILE

and the like. This would obviously work locally as well as a workaround but it’s just another step to manage. In my org, we have AWS access tied to enterprise SSO. We use a tool which reads the config file, uses chromium to login and scrape the SAML cookie, does an API call to AWS, gets an access token, and saves that to

~/.aws/credentials

. For Jenkins, we have an IAM service account which can assume a role, and the Jenkins plugin handles setting the env vars.