open_basedir restriction in effect because of reading .aws/config from the home directory

[MMSs]

AWS SDK seems to constantly try to load configuration from ~/.aws/config, but accessing the user's home directory is prohibited in php configuration.

Adding AWS_CSM_ENABLED environment variable mentioned in #1659 was not enough to resolve the issue, but it did reduced the number of thrown warnings from 4 to 1. The last warning I couldn't get around is mentioned below.

Version of AWS SDK for PHP?

aws/aws-sdk-php 3.129.1

Version of PHP (php -v)?

PHP 7.2.24

What issue did you see?

AWS S3Client is trying to read configuration from the user's home directory, which is out of the open_basedir scope, and throwing the following warning:

Warning: is_readable(): open_basedir restriction in effect. File(/home/myuser/.aws/config) is not within the allowed path(s): (/xxx/) in /xxx/vendor/aws/aws-sdk-php/src/S3/UseArnRegion/ConfigurationProvider.php on line 65
Call Stack
#	Time	Memory	Function	Location
1	0.0009	397736	{main}( )	.../index.php:0
2	0.0017	399672	require( '/xxx/web/wp/wp-blog-header.php' )	.../index.php:5
3	1.8510	45760064	require_once( '/xxx/web/wp/wp-includes/template-loader.php' )	.../wp-blog-header.php:19
4	1.8552	45880224	include( '/xxx/web/app/themes/my-theme/templates/mytemplate.php' )	.../template-loader.php:98
5	5.7255	52761536	get_template_part( )	.../mytemplate.php:21
6	5.7255	52762032	locate_template( )	.../general-template.php:168
7	5.7255	52762144	load_template( )	.../template.php:671
8	5.7265	52778296	require( '/xxx/web/app/themes/my-theme/functions/myfunctions.php' )	.../template.php:724
9	5.7297	52818728	get_kpi_from_s3_file_object( )	.../myfunctions.php:31
10	5.7305	52820288	get_s3_file_object( )	.../mytemplate.php:451
11	5.7370	53145592	Aws\S3\S3Client->__construct( )	.../mytemplate.php:426
12	5.7392	53189248	Aws\S3\S3Client->__construct( )	.../S3Client.php:325
13	5.7427	53628368	Aws\ClientResolver->resolve( )	.../AwsClient.php:187
14	5.8011	57970240	Aws\S3\S3Client::_apply_use_arn_region( )	.../ClientResolver.php:314
15	5.8062	58053488	GuzzleHttp\Promise\Promise->wait( )	.../S3Client.php:406
16	5.8062	58053488	GuzzleHttp\Promise\Promise->waitIfPending( )	.../Promise.php:62
17	5.8062	58053488	GuzzleHttp\Promise\Promise->invokeWaitList( )	.../Promise.php:225
18	5.8062	58053488	GuzzleHttp\Promise\Promise->waitIfPending( )	.../Promise.php:267
19	5.8062	58053488	GuzzleHttp\Promise\Promise->invokeWaitFn( )	.../Promise.php:223
20	5.8062	58053488	GuzzleHttp\Promise\TaskQueue->run( )	.../Promise.php:246
21	5.8062	58053512	GuzzleHttp\Promise\RejectedPromise::GuzzleHttp\Promise\{closure:/xxx/vendor/guzzlehttp/promises/src/RejectedPromise.php:36-49}( )	.../TaskQueue.php:47
22	5.8062	58053512	Aws\S3\UseArnRegion\ConfigurationProvider::Aws\S3\UseArnRegion\{closure:/xxx/vendor/aws/aws-sdk-php/src/S3/UseArnRegion/ConfigurationProvider.php:64-90}( )	.../RejectedPromise.php:40
23	5.8062	58053512	is_readable ( )	.../ConfigurationProvider.php:65

Steps to reproduce

1. set open_basedir to specific folders list that does not include the user home directory.
2. make sure error reporting is turned on.
3. Create a Wordpress theme filter
4. Add an S3Client instance initializer with a set of your personal credential configs

<?php
$client = new S3Client([
    'credentials' => [
        'key' => env('AWS_KEY'),
        'secret' => env('AWS_SECRET'),
    ],
    'region' => $aws['s3bucket']['options']['region'],
    'version' => '2006-03-01',
]);

5. Open the browser to the page that would trigger the theme filter you just created
6. See the warning mentioned above.

Additional context

Using the following versions:
wordpress 5.3
league/flysystem 1.0.61
league/flysystem-aws-s3-v3 1.0.23 Flysystem

[srchase]

In addition to csm, s3_us_east_1_regional_endpoint and use_arn_region are also attempted to be read from .aws/config. Setting env variables, AWS_S3_US_EAST_1_REGIONAL_ENDPOINT and AWS_S3_USE_ARN_REGION , or config values for these will prevent .aws/config from being read entirely.

I've tagged this as a feature request to support AWS_CONFIG_FILE. That environment variable would allow setting a non-standard location for the config file, for compatibility with open_basedir restrictions.

[MMSs]

Defining AWS_S3_USE_ARN_REGION=false worked on its own for me, but I would very much appreciate being able to overwrite the default config file path in an environment variable instead of disabling features as this is not a practical solution.

[srchase]

@howardlopez has a PR up for this in #1939

[holorhythms]

@MMSs Thanks for the feedback. The implementing PR (#1939) has been merged and will be included in the next release.

[Finesse]

What to set to AWS_CONFIG_FILE if I don't even have a configuration file? The code worked fine until I updated AWS SDK recently.

Copy-paste solutions for googlers:

• Set the environment variable to any path (including not existing) inside open_basedir. To do it, add this line before creating an S3Client object:

  putenv('AWS_CONFIG_FILE='.__DIR__.'/dirtyHack.ini');

  It solves all the similar errors at the moment.
• Or if you don't want the SDK to scan the disk, you can provide configurations explicitly:

  $s3Client = new Aws\S3\S3Client([
      // ...
  
      // Resolves this issue
      'use_arn_region' => \Aws\S3\UseArnRegion\ConfigurationProvider::fallback(),
  
      // Resolve other similar errors
      'csm' => \Aws\ClientSideMonitoring\ConfigurationProvider::fallback(),
      'retries' => \Aws\Retry\ConfigurationProvider::fallback(),
      's3_us_east_1_regional_endpoint' => \Aws\S3\RegionalEndpoint\ConfigurationProvider::fallback(),
  ]);

  The default configurations are provided in this example.

[richard015ar]

It worked for me:

use Aws\Credentials\CredentialProvider;

$s3Client = new S3Client([
    //...
    'credentials' => CredentialProvider::env(),
]);

More info: https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_provider.html#env-provider