#[SOLVED] - Env variables not found by WithExec?

Seeing a weird issue where AWS creds seemingly aren't available to withexec? Once I drop into a terminal things work fine, but I get errors with the withExec call. Anyone have any ideas why?

➜  node-controller git:(stobias/agent-daemon-native) ✗ dagger run -i ./ci b hw
✘ Exec failed, attaching terminal:
    container: Container!
    Container.from(address: "docker.io/amazon/aws-cli:latest@sha256:76aa4d9d249cdd8761f832ef9a12ecc081c0d1158a52fb2cc554251f41ef1901"): Container!
    Container.withSecretVariable(
    │ │ name: "AWS_ACCESS_KEY_ID"
    │ │ secret: loadSecretFromName(accessor: "6177735f6163636573735f6b6579b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad", name: "aws_access_key"): Secret!
    │ ): Container!
    Container.withSecretVariable(
    │ │ name: "AWS_SECRET_ACCESS_KEY"
    │ │ secret: loadSecretFromName(accessor: "6177735f7365637265745f6b6579b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad", name: "aws_secret_key"): Secret!
    │ ): Container!
    Container.withEnvVariable(name: "AWS_REGION", value: "us-west-2"): Container!
    Container.withExec(args: ["env"]): Container!
    Container.withExec(args: ["aws", "s3", "cp", "s3://tmp-ci-build-artifacts-hub-us-west-2/qcom/qairt/2.28.2.241116.tar.gz", "/tmp/2.28.2.241116.tar.gz"]): Container!

! process "aws s3 cp s3://tmp-ci-build-artifacts-hub-us-west-2/qcom/qairt/2.28.2.241116.tar.gz /tmp/2.28.2.241116.tar.gz" did not complete successfully: exit code: 1
sh-5.2# set | grep -i aws
AWS_ACCESS_KEY_ID=foo
AWS_REGION=us-west-2
AWS_SECRET_ACCESS_KEY=bar
PWD=/aws
sh-5.2# aws s3 cp s3://tmp-ci-build-artifacts-hub-us-west-2/qcom/qairt/2.28.2.241116.tar.gz /tmp/2.28.2.241116.tar.gz
download: s3://tmp-ci-build-artifacts-hub-us-west-2/qcom/qairt/2.28.2.241116.tar.gz to ../tmp/2.28.2.241116.tar.gz
sh-5.2# ls /tmp/
2.28.2.241116.tar.gz

Code here

func WithAWSHubCredentials(
client *dagger.Client,
container *dagger.Container,
) (*dagger.Container, error) {
accessKey, secretKey, err := getAWSCreds(entities.HubEnv)
if err != nil {
return nil, fmt.Errorf("failed to get AWS credentials: %w", err)
}

accessKeySecret := client.SetSecret(AWS_ACCESS_KEY_ID, accessKey)
secretKeySecret := client.SetSecret(AWS_SECRET_KEY_ID, secretKey)
return container.
    WithSecretVariable("AWS_ACCESS_KEY_ID", accessKeySecret).
    WithSecretVariable("AWS_SECRET_ACCESS_KEY", secretKeySecret).
    WithEnvVariable("AWS_REGION", "us-west-2"), nil

}

func DownloadFromS3Hub(client *dagger.Client, s3Path string) (*dagger.File, error) {
if s3Path == "" {
log.Fatal("s3Path cannot be empty")
return nil, fmt.Errorf("s3Path cannot be empty")
}
// get the filename from the s3Path
s3PathParts := strings.Split(s3Path, "/")
if len(s3PathParts) == 0 {
log.Fatal("s3Path must contain at least one part")
return nil, fmt.Errorf("s3Path must contain at least one part")
}
filename := s3PathParts[len(s3PathParts)-1]
filePath := fmt.Sprintf("/tmp/%s", filename)
s5cmd := client.Container().From("amazon/aws-cli:latest")
ctr, err := WithAWSHubCredentials(client, s5cmd)
if err != nil {
return nil, fmt.Errorf("failed to set AWS credentials for s5cmd: %v", err)
}
return ctr.WithExec([]string{"env"}).WithExec([]string{"aws", "s3", "cp", fmt.Sprintf("s3://%s/%s", constants.HUBS3ArtifactBucket, s3Path), filePath}).File(filename), nil
}

dumb user error - found the problem 🙂

temp credentials getting cached from vault dynamic backend