Correct way to handle "AccessDenied" and other errors

[echelonh]

Hi there!

I'm trying to write code that assumes a role and then goes on to perform various actions with that role (e.g. read from s3 bucket).

It's pretty similar to the examples shown here:
https://github.com/awslabs/aws-sdk-rust/tree/main/examples/examples/sts/src/bin

Since the user can provide a role that I don't have permissions to assume - I want to catch an "AccessDenied" error and handle it - print something informative to the user about not having permissions.

Unfortunately, after looking at most examples online - I didn't see any way to properly handle it and access the error's code easily. Not by attempting to use provider.provide_credentials() which yiels CredentialsError, nor by calling get_caller_identity() which yields DispatchFailure.

The errors are a huge nested mess, and I honestly didn't understand how to get the access code - ugly code or not.

I'd appreciate any help - thanks a lot! 🙏

[ysaito1001]

While this isn't strictly a type-based approach, one way to determine if the returned service error is related to AccessDenied is by examining the DisplayErrorContext. These are examples in our repository showing how you can use it. You should then be able to search for an error string like AccessDenied.

[echelonh]

Hey,

Thanks for the suggestion, but this feels very far-off from what I'm trying to do. I could "grep" for certain strings, but this is a very dangerous solution, and it can be quite inaccurate.

I'm looking for something that's even slightly more formal. Also, it's very possible that AccessDenied is not the only code I'm after.

Thanks!

[ysaito1001]

handle it

You can also try using .into_service_error to turn it into a ServiceError which you can then match on.

print something informative to the user about not having permissions

For printing purposes, you should just be able to use DisplayErrorContext to print the underlying error message.

[echelonh]

Thanks for the suggestions! :)
I really appreciate you taking the time to help 🙏

I've already tried using .into_service_error() before writing this post, but after lots of trial and error where I didn't get the correct code, I figured this is the error hierarchy I get (in this example, for provide_credentials):

ProviderError(ProviderError { 
  source: ServiceError(ServiceError {
    source: Unhandled(Unhandled {
      source: ErrorMetadata {

Only Unhandled and ErrorMetadata has the code field properly set - not sure what the next step after .into_service_error should be.

Regarding the printing purposes - The consumer of the data I'm sending shouldn't be aware of anything too specific in AWS, definitely not in such detail.
DisplayErrorContext is good for my own debugging purposes, but can't be used as something informative or a protocol for my internal services to rely on.