tools-deps

Discuss tools.deps.alpha, tools.build, and the clj/clojure command-line scripts! See also #depstar #clj-new
Jakub Holý 2021-06-25T12:45:58.329600Z

Hi! Does deps check for and download new snapshots automatically or do I / can I tell it to do so? Searching for "snapshot" at https://clojure.org/reference/deps_and_cli#_resolve_deps does not find much. 🙏

alexmiller 2021-06-25T12:47:33.330700Z

You can use -Sforce to force the cp to be recomputed

alexmiller 2021-06-25T12:48:01.331400Z

It will use the default snapshot update policy which is daily

alexmiller 2021-06-25T12:49:08.332500Z

If you want more new than that, you’ll need to remove portions of your local maven cache

alexmiller 2021-06-25T12:50:00.333500Z

I believe we have an existing ticket to allow setting the snapshot policy or more control over this

2021-06-25T12:55:29.334Z

is it possible to configure update policy using global maven settings.xml?

alexmiller 2021-06-25T13:34:35.334600Z

well tools.deps doesn't use that for this so won't matter

dharrigan 2021-06-25T13:47:13.335200Z

Does deps have support for s3p:// repos, aka private s3 repositories?

dharrigan 2021-06-25T13:47:56.335900Z

A lein plugin, which our company uses is this <https://github.com/s3-wagon-private/s3-wagon-private> and I'm trying to convert a project.clj to deps.clj

2021-06-25T13:49:28.336600Z

just drop the p from the end of the protocol and it should work out of the box… iirc s3p is an old deprecated protocol

dharrigan 2021-06-25T13:51:13.337Z

I will retry that, for it failed when I did it

dharrigan 2021-06-25T13:51:58.337300Z

hmmm, strange

dharrigan 2021-06-25T13:52:06.337700Z

I have this in my deps.edn...

dharrigan 2021-06-25T13:52:25.338100Z

:mvn/repos {"foo-releases" {:url "<s3://maven.foobar.com/releases>"}
             "foo-snapshots" {:url "<s3://maven.foobar.com/snapshots>"}}}

dharrigan 2021-06-25T13:52:34.338300Z

but the resolution does this:

dharrigan 2021-06-25T13:53:36.339100Z

Downloading: foo/components/0.2.0/components-0.2.0.pom from foo-releases
Downloading: foo/components/0.2.0/components-0.2.0.pom from foo-snapshots
Downloading: org/clojure/clojure/maven-metadata.xml from foo-snapshots
Downloading: org/clojure/clojure/maven-metadata.xml from foo-releases
Downloading: foo/components/0.2.0/components-0.2.0.jar from foo-releases
Downloading: foo/components/0.2.0/components-0.2.0.jar from foo-snapshots
Error building classpath. Could not find artifact foo:components:jar:0.2.0 in central (<https://repo1.maven.org/maven2/>)

dharrigan 2021-06-25T13:54:59.340100Z

Not sure what is going on at all, why is it calling out to maven central (no artifact has been downloaded)

2021-06-25T14:01:50.341Z

I’m pretty sure that’s just because it looks for the deps on all repos, which is why you’re seeing that

dharrigan 2021-06-25T14:04:06.341700Z

Okay, a fallback. Fairy enough. However, it appears not to be able to download the artifact on s3.

alexmiller 2021-06-25T14:07:53.341800Z

it's not deprecated, it's just specific to that leiningen plugin. that's not a "real" thing

👍 1
alexmiller 2021-06-25T14:08:35.342400Z

correct on the error message - it cycles through all repos and will report only the last error

dharrigan 2021-06-25T14:08:54.343Z

Ah, I think I've also discovered why it didn't download

dharrigan 2021-06-25T14:08:56.343200Z

double checking

alexmiller 2021-06-25T14:08:56.343300Z

is that a private s3 repo or public?

dharrigan 2021-06-25T14:08:59.343500Z

private

alexmiller 2021-06-25T14:09:09.343800Z

and you provided auth ?

dharrigan 2021-06-25T14:09:20.344100Z

that's what I'm double checking atm 🙂

dharrigan 2021-06-25T14:09:26.344300Z

verifying my setup

alexmiller 2021-06-25T14:10:31.345Z

also important is that the AWS creds you use have a policy that allows s3 ops

dharrigan 2021-06-25T14:10:56.345300Z

yup, all that works with lein, I'm doing a conversion to deps

alexmiller 2021-06-25T14:11:13.345800Z

but your log snippet above shows it successfully downloading stuff from the repo

dharrigan 2021-06-25T14:11:37.346Z

No, it didn't

dharrigan 2021-06-25T14:11:48.346300Z

it created the directories, but didn't download anything.

dharrigan 2021-06-25T14:11:56.346600Z

so that message is misleading

dharrigan 2021-06-25T14:12:40.347300Z

(I wouldn't report it not downloading anything, without first checking if the directories actually contained stuff)

alexmiller 2021-06-25T14:13:03.348100Z

do you have metadata files in there or are they literally empty?

dharrigan 2021-06-25T14:13:07.348300Z

literally empty

dharrigan 2021-06-25T14:13:43.349100Z

metadata would have indicated that it yes, downloaded something (then my question would have been different, i.e., why metadata but no jar...)

alexmiller 2021-06-25T14:14:04.349400Z

can you try again with -Sforce ?

dharrigan 2021-06-25T14:14:09.349700Z

That's what I have been using

alexmiller 2021-06-25T14:14:14.350Z

ok

dharrigan 2021-06-25T14:14:44.350700Z

So, I got it to download now, like this:

alexmiller 2021-06-25T14:14:45.350800Z

where are you putting AWS creds?

dharrigan 2021-06-25T14:15:31.351800Z

in my .m2/settings.xml I had the the username/password set to my access key and secret access key (when I first attempted to verify that the conversion from project.clj to deps.clj was okay)

dharrigan 2021-06-25T14:15:39.352100Z

(following the instructions on the <https://clojure.org/reference/deps_and_cli#_maven_s3_repos> link)

dharrigan 2021-06-25T14:15:49.352600Z

that didn't work (see eyes passim)

dharrigan 2021-06-25T14:15:57.352800Z

but then I removed the u/p combo

dharrigan 2021-06-25T14:16:01.353Z

and used this way

dharrigan 2021-06-25T14:16:16.353200Z

aws-vault exec foo -- clj -Sforce

alexmiller 2021-06-25T14:16:37.353600Z

what's aws-vault?

dharrigan 2021-06-25T14:16:38.353700Z

then that worked

dharrigan 2021-06-25T14:16:53.354Z

<https://github.com/99designs/aws-vault>

dharrigan 2021-06-25T14:17:22.354400Z

it does stuff in the background to setup credentials and environment variables

dharrigan 2021-06-25T14:17:39.354800Z

(but <shrug> I'm quite new to using it too, it's used at a company I've just joined)

alexmiller 2021-06-25T14:17:51.355Z

I see

alexmiller 2021-06-25T14:17:58.355300Z

temporary ambient creds

dharrigan 2021-06-25T14:18:36.355800Z

right, it has things like this

dharrigan 2021-06-25T14:18:41.356Z

aws-vault list

dharrigan 2021-06-25T14:18:56.356500Z

aws-vault list
Profile                  Credentials              Sessions                      
=======                  ===========              ========                      
default                  -                        -                             
dharrigan                -                        -                             
foo                       foo                       sts.GetSessionToken:5h54m59s  
foo:staging               -                        -                             

alexmiller 2021-06-25T14:19:25.357100Z

may be that whatever your ambient aws creds were were getting used over the user/pw creds

dharrigan 2021-06-25T14:20:15.358100Z

I think it's the session credentials that should replace what was in the .m2/settings.xml, (I've removed the access key/secret key combo from the .m2/settings.xml)

dharrigan 2021-06-25T14:22:06.358500Z

If I do this:

dharrigan 2021-06-25T14:22:09.358800Z

❯ aws-vault exec foo -- env | rg AWS  
_=/usr/bin/aws-vault
AWS_VAULT=foo
AWS_DEFAULT_REGION=eu-west-1
AWS_REGION=eu-west-1
AWS_ACCESS_KEY_ID=wibble
AWS_SECRET_ACCESS_KEY=wobble
AWS_SESSION_TOKEN=wibble-session
AWS_SECURITY_TOKEN=wobble-sesion
AWS_SESSION_EXPIRATION=2021-06-25T20:08:23Z

dharrigan 2021-06-25T14:22:42.359600Z

I can see that a lot of env variable are set, which I suppose the S3Transporter uses to successfully download the jar from.

dharrigan 2021-06-25T14:25:49.361500Z

Should this be documented for those who come after me? A company that has a security policy like this, that requires that session tokens are gained and used, will affect anyone trying to download from s3 without this knowledge.

alexmiller 2021-06-25T14:35:39.361700Z

should what be documented?

alexmiller 2021-06-25T14:36:24.362Z

s3 ambient creds are discussed in the docs

dharrigan 2021-06-25T14:37:34.362100Z

The instructions on the <https://clojure.org/reference/deps_and_cli#_maven_s3_repos> for accessing private s3 repos do not take into account temporary session credentials

dharrigan 2021-06-25T14:38:52.362400Z

I don't think this For authenticated repos, AWS credentials can be set in the ~/.m2/settings.xml on a per-server basis or will be loaded ambiently from the AWS credential chain (env vars, etc). is quite sufficient detail

dharrigan 2021-06-25T14:39:08.362700Z

they certainly hint at it, but don't expound upon it

alexmiller 2021-06-25T14:56:41.363500Z

I'm not sure what's special about the temporariness of the credentials

alexmiller 2021-06-25T14:58:00.363900Z

this is the relevant part:

AWS S3 credentials can be set in the environment using one of these mechanisms:

    Set the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

    Create a default profile in the AWS credentials file ~/.aws/credentials (older ~/.aws/config also supported).

    Create a named profile in the AWS credentials file and set the environment variable AWS_PROFILE with its name.

    Amazon ECS container and instance profile credentials should also work, but have not been tested.

For more information, most of the advice in this AWS document describes how credentials are located. Note however that the Java system properties options will NOT work with the command line tools (but would work if using the tools.deps.alpha library directly).

alexmiller 2021-06-25T14:59:25.364400Z

so, I think it does expound on it?

dharrigan 2021-06-25T15:00:17.365500Z

It's missing information on the session tokens, which are used in tandem with the access key and secret access key - but only under specific circumstances, i.e., when there is an AssumeRole going on.

dharrigan 2021-06-25T15:01:04.366200Z

(otherwise,the access key and secret access key, set in the .m2/settings.xml under username/password would have worked out-of-the-box)

dharrigan 2021-06-25T15:02:27.367300Z

I'm highlighting a gap in the explanation that I came across. With the thought of being helpful to others in the future, who may encounter this too, I thought it would be beneficial to document it somewhere.

alexmiller 2021-06-25T15:10:25.367900Z

so you're talking about user/pw being insufficient when using session tokens

dharrigan 2021-06-27T17:01:58.387400Z

Hi, Sorry for the delay. Family and trying to reproduce the situation cleanly. On a clean OS, the only way I could get the artifacts to download from the private S3 repository was to ensure that there was no username/password set in the .m2/settings.xml and use aws-vault foo exec -- clj -Sforce to download the items. If I had the username/password set, it would not download (it would say it was downloading, create empty directories, but not actually download the items)

dharrigan 2021-06-27T17:03:22.387700Z

So, yes, a full set of AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN etc., are required.

dharrigan 2021-06-27T17:04:07.387900Z

I think this comes into play when a role doesn't have the ability to download, and has to temporarily assume the role (by using aws-vault for example, to ensure the correct ENV variables are set)

dharrigan 2021-06-27T17:04:08.388100Z

.

dharrigan 2021-06-27T17:04:11.388300Z

I hope that helps.

dharrigan 2021-06-25T15:32:57.368800Z

I think so yes, it wasn't sufficent for me when I had them in the .m2/settings.xml. However, let me validate that again by doing another test. I'll report back 🙂