fix: catch AuthError to an informative message

pbrisbin · pbrisbin · commit 32b1386ade0b · 2025-10-17T16:19:42.000-04:00
Before, ```console % AWS_PROFILE=x stack exec -- stackctl cat CredentialChainExhausted ``` Now, ```console % AWS_PROFILE=x stack exec -- stackctl cat 2025-10-17 18:31:44 [error ] No AWS credentials were found in your environment. For details of where stackctl looks for credentials, see: https://hackage.haskell.org/package/amazonka-2.0/docs/Amazonka-Auth.html#v:discover exception=CredentialChainExhausted ```
diff --git a/src/Stackctl/AWS/Core.hs b/src/Stackctl/AWS/Core.hs
@@ -12,6 +12,7 @@ module Stackctl.AWS.Core
   , withAssumedRole
 
     -- * Error-handling
+  , handlingAuthError
   , handlingServiceError
   , formatServiceError
 
@@ -38,6 +39,7 @@ import Amazonka
   , serviceError_code
   , serviceError_message
   , serviceError_requestId
+  , _AuthError
   , _Sensitive
   , _ServiceError
   )
@@ -49,6 +51,7 @@ import qualified Amazonka.Env as Amazonka
 import Amazonka.STS.AssumeRole
 import Control.Monad.AWS
 import Control.Monad.Logger (defaultLoc, toLogStr)
+import qualified Data.Text as T
 import Data.Typeable (typeRep)
 import Stackctl.AWS.Orphans ()
 import UnliftIO.Exception.Lens (handling)
@@ -149,6 +152,22 @@ newtype AccountId = AccountId
   }
   deriving newtype (Eq, Ord, Show, ToJSON)
 
+-- | Handle 'AuthError', log it and 'exitFailure'
+handlingAuthError :: (MonadUnliftIO m, MonadLogger m) => m a -> m a
+handlingAuthError =
+  handling _AuthError $ \e -> do
+    logError $ msg :# ["exception" .= displayException e]
+    exitFailure
+ where
+  msg =
+    "No AWS credentials were found in your environment."
+      <> continuation "For details of where stackctl looks for credentials, see:"
+      <> continuation
+        "https://hackage.haskell.org/package/amazonka-2.0/docs/Amazonka-Auth.html#v:discover"
+
+  -- Shift the continuation lines to line up with the first message line
+  continuation x = "\n" <> T.replicate 32 " " <> x
+
 -- | Handle 'ServiceError', log it and 'exitFailure'
 --
 -- This is useful at the top-level of the app, where we'd be crashing anyway. It
diff --git a/src/Stackctl/CLI.hs b/src/Stackctl/CLI.hs
@@ -13,6 +13,7 @@ import Control.Monad.AWS as AWS
 import Control.Monad.AWS.ViaReader as AWS
 import Control.Monad.Catch (MonadCatch)
 import Control.Monad.Trans.Resource (MonadResource, ResourceT, runResourceT)
+import Stackctl.AWS.Core (handlingAuthError)
 import qualified Stackctl.AWS.Core as AWS
 import Stackctl.AWS.Scope
 import Stackctl.AutoSSO
@@ -103,9 +104,12 @@ runAppT options f = do
           envLogSettings
 
   withLogger logSettings $ \appLogger -> do
-    appAwsEnv <- runWithLogger appLogger $ handleAutoSSO options $ do
-      logDebug "Discovering AWS credentials"
-      AWS.discover
+    appAwsEnv <- runWithLogger appLogger
+      $ handleAutoSSO options
+      $ handlingAuthError
+      $ do
+        logDebug "Discovering AWS credentials"
+        AWS.discover
     appConfig <- runWithLogger appLogger loadConfigOrExit
     appAwsScope <- AWS.runEnvT fetchAwsScope appAwsEnv
 
