Failed to load AWS_PROFILE when using trivy vm ami:<ami_id>

[nikpivkin]

Discussed in #6370

^{Originally posted by wangzhihaocom March 22, 2024}

Description

After I run export AWS_PROFILE=some_profile and then I run the command trivy vm to scan an AMI , and I got this following error

2024-03-21T19:04:42.318Z INFO Need to update DB 2024-03-21T19:04:42.318Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db 2024-03-21T19:04:42.318Z INFO Downloading DB... 44.49 MiB / 44.49 MiB [---------------------------------------------------------------------------------------------] 100.00% 16.19 MiB p/s 2.9s 2024-03-21T19:04:45.685Z INFO Vulnerability scanning is enabled 2024-03-21T19:04:45.685Z INFO Secret scanning is enabled 2024-03-21T19:04:45.685Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-03-21T19:04:45.685Z INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection 2024-03-21T19:04:45.701Z FATAL vm scan error: scan error: unable to initialize a scanner: unable to initialize a vm scanner: aws config load error: failed to get shared config profile, dev-cloud-iam-infra

But I use the same AWS_PROFILE , i can use my aws cli command as this the output

aws s3 ls --profile dev-cloud-iam-infra

2024-02-08 21:04:51 cf-templates-j1vskhoonux6-ap-east-1
2024-02-08 20:19:54 cf-templates-j1vskhoonux6-ap-northeast-1
2024-02-08 22:41:46 cf-templates-j1vskhoonux6-ap-southeast-1
2024-02-22 00:25:55 cf-templates-j1vskhoonux6-us-east-1
2023-11-15 21:33:05 cf-templates-j1vskhoonux6-us-east-2
2024-03-21 18:00:56 infstones-logs-dev-cloud
2024-02-29 18:44:58 infstones-logs-test-dev-cloud

Seems something wrong with trivy when export the AWS_PROFILE, and other is also there is no aws_profile flag option when using trivy

Desired Behavior

After export AWS_PROFILE=some__aws_profile, the trivy should scan the VM with that aws_profie

Actual Behavior

The actual Behavior is :

1. export AWS_PROFILE=dev-cloud-iam-infra
2. When I run the scan trivy vm -d --aws-region us-east-2 ami:ami-0130c365b91184af1
3. I got this error

`zhihao@ip-172-0-1-30 ~ (⎈|dev-cloud-eks-cluster-infpools-io:N/A) ~$ trivy vm -d --aws-region us-east-2 ami:ami-0130c365b91184af1
2024-03-21T19:15:52.130Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-21T19:15:52.132Z DEBUG Ignore statuses {"statuses": null}
2024-03-21T19:15:52.137Z DEBUG Timeout is set to less than 30 min - upgrading to 30 min for this command.
2024-03-21T19:15:52.140Z DEBUG cache dir: /home/zhihao/snap/trivy/271/.cache/trivy
2024-03-21T19:15:52.140Z DEBUG DB update was skipped because the local DB is the latest
2024-03-21T19:15:52.140Z DEBUG DB Schema: 2, UpdatedAt: 2024-03-21 18:10:27.594557904 +0000 UTC, NextUpdate: 2024-03-22 00:10:27.594557554 +0000 UTC, DownloadedAt: 2024-03-21 19:04:45.684887737 +0000 UTC
2024-03-21T19:15:52.140Z INFO Vulnerability scanning is enabled
2024-03-21T19:15:52.140Z DEBUG Vulnerability type: [os library]
2024-03-21T19:15:52.141Z INFO Secret scanning is enabled
2024-03-21T19:15:52.141Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-21T19:15:52.141Z INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-21T19:15:52.141Z DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-03-21T19:15:52.141Z DEBUG No secret config detected: trivy-secret.yaml
2024-03-21T19:15:52.141Z DEBUG The nuget packages directory couldn't be found. License search disabled
2024-03-21T19:15:52.181Z FATAL vm scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:445

• scan error:
  github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
  /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
• unable to initialize a scanner:
  github.com/aquasecurity/trivy/pkg/commands/artifact.scan
  /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:700
• unable to initialize a vm scanner:
  github.com/aquasecurity/trivy/pkg/commands/artifact.vmStandaloneScanner
  /home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:118
• aws config load error:
  github.com/aquasecurity/trivy/pkg/cloud/aws/config.LoadDefaultAWSConfig
  /home/runner/work/trivy/trivy/pkg/cloud/aws/config/config.go:39
• failed to get shared config profile, dev-cloud-iam-infra`

Reproduction Steps

1. export AWS_PROFILE=dev-cloud-iam-infra
2. trivy vm -d --aws-region us-east-2 ami:ami-0130c365b91184af1 
3. Error

zhihao@ip-172-0-1-30 ~ (⎈|dev-cloud-eks-cluster-infpools-io:N/A) ~$ trivy vm -d --aws-region us-east-2 ami:ami-0130c365b91184af1
2024-03-21T19:15:52.130Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-21T19:15:52.132Z	DEBUG	Ignore statuses	{"statuses": null}
2024-03-21T19:15:52.137Z	DEBUG	Timeout is set to less than 30 min - upgrading to 30 min for this command.
2024-03-21T19:15:52.140Z	DEBUG	cache dir:  /home/zhihao/snap/trivy/271/.cache/trivy
2024-03-21T19:15:52.140Z	DEBUG	DB update was skipped because the local DB is the latest
2024-03-21T19:15:52.140Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-03-21 18:10:27.594557904 +0000 UTC, NextUpdate: 2024-03-22 00:10:27.594557554 +0000 UTC, DownloadedAt: 2024-03-21 19:04:45.684887737 +0000 UTC
2024-03-21T19:15:52.140Z	INFO	Vulnerability scanning is enabled
2024-03-21T19:15:52.140Z	DEBUG	Vulnerability type:  [os library]
2024-03-21T19:15:52.141Z	INFO	Secret scanning is enabled
2024-03-21T19:15:52.141Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-21T19:15:52.141Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-21T19:15:52.141Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-03-21T19:15:52.141Z	DEBUG	No secret config detected: trivy-secret.yaml
2024-03-21T19:15:52.141Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-03-21T19:15:52.181Z	FATAL	vm scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:445
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - unable to initialize a scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:700
  - unable to initialize a vm scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.vmStandaloneScanner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:118
  - aws config load error:
    github.com/aquasecurity/trivy/pkg/cloud/aws/config.LoadDefaultAWSConfig
        /home/runner/work/trivy/trivy/pkg/cloud/aws/config/config.go:39
  - failed to get shared config profile, dev-cloud-iam-infra

Target

AWS

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

trivy vm -d --aws-region us-east-2 ami:ami-0130c365b91184af1
2024-03-21T19:15:52.130Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-21T19:15:52.132Z	DEBUG	Ignore statuses	{"statuses": null}
2024-03-21T19:15:52.137Z	DEBUG	Timeout is set to less than 30 min - upgrading to 30 min for this command.
2024-03-21T19:15:52.140Z	DEBUG	cache dir:  /home/zhihao/snap/trivy/271/.cache/trivy
2024-03-21T19:15:52.140Z	DEBUG	DB update was skipped because the local DB is the latest
2024-03-21T19:15:52.140Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-03-21 18:10:27.594557904 +0000 UTC, NextUpdate: 2024-03-22 00:10:27.594557554 +0000 UTC, DownloadedAt: 2024-03-21 19:04:45.684887737 +0000 UTC
2024-03-21T19:15:52.140Z	INFO	Vulnerability scanning is enabled
2024-03-21T19:15:52.140Z	DEBUG	Vulnerability type:  [os library]
2024-03-21T19:15:52.141Z	INFO	Secret scanning is enabled
2024-03-21T19:15:52.141Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-21T19:15:52.141Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-21T19:15:52.141Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-03-21T19:15:52.141Z	DEBUG	No secret config detected: trivy-secret.yaml
2024-03-21T19:15:52.141Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-03-21T19:15:52.181Z	FATAL	vm scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:445
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - unable to initialize a scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:700
  - unable to initialize a vm scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.vmStandaloneScanner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:118
  - aws config load error:
    github.com/aquasecurity/trivy/pkg/cloud/aws/config.LoadDefaultAWSConfig
        /home/runner/work/trivy/trivy/pkg/cloud/aws/config/config.go:39
  - failed to get shared config profile, dev-cloud-iam-infra

Operating System

ubuntu 22.04

Version

trivy --version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-21 18:10:27.594557904 +0000 UTC
  NextUpdate: 2024-03-22 00:10:27.594557554 +0000 UTC
  DownloadedAt: 2024-03-21 19:04:45.684887737 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[wangzhihaocom]

Hi Just wondering is there any update on this issue?

[nikpivkin]

@simar7 I've never been able to reproduce the problem locally

[simar7]

@wangzhihaocom as we discussed here #6370 (comment) the only reason I can think of is your AWS is not accessible from the environment you run trivy from (maybe it isn't mounted, maybe you don't have the right permissions, etc.). It's hard for us to know the exact cause of it but based on the error message you receive, that's my best guess.

[simar7]

@simar7 I've never been able to reproduce the problem locally

@nikpivkin OK I will remove this from the milestone then but keep it open since to see if we receive any future reports about it.

[knqyf263]

As defined here, we should convert a discussion into an issue after we confirm it's a bug. Ideally, all issues should be actionable, meaning we know what to do and can add the task to the milestone anytime based on priority, as @simar7 did.
Since we've never successfully replicated this error, what if we close this issue and return to the discussion?

[simar7]

Fair point @knqyf263 - I will do so. Thank you for keeping us accountable!