This was quite challenging to track down. Bug report from Claude.
Summary
The standalone Nextstrain CLI bundle (~/.nextstrain/cli-standalone/) ships botocore-1.43.0 but does not bundle botocore[crt]. Any user who has a login_session entry in their ~/.aws/config (any profile, including [default]) gets a fatal MissingDependencyException from every nextstrain command that resolves AWS credentials — most prominently nextstrain login.
This is invisible to users until either (a) they configure an AWS Identity Center-style login, or (b) their cached nextstrain auth token expires and a refresh is forced through the credential chain.
Environment
- Nextstrain CLI version: 11.0.0 (standalone)
- Install path:
~/.nextstrain/cli-standalone/
- Bundled
botocore version: 1.43.0 (~/.nextstrain/cli-standalone/lib/botocore-1.43.0.dist-info)
- OS: macOS 25.0.0 (
darwin)
Reproduction
- Have a
~/.aws/config with login_session in any active profile (in my case [default]):
[default]
login_session = arn:aws:iam::<account>:user/<name>
region = us-east-1
- Run:
- Observe traceback ending in:
File "botocore.credentials", line 2750, in load
botocore.exceptions.MissingDependencyException: Missing Dependency: Using the login credential provider requires an additional dependency. You will need to pip install "botocore[crt]" before proceeding.
Root cause
In botocore 1.43.0, the new "login" credential provider (LoginCredentialProvider.load() in botocore/credentials.py) raises MissingDependencyException whenever the active profile contains login_session and awscrt is not importable. Relevant source:
def load(self):
loaded_config = self._load_config()
profile_config = profiles.get(self._profile_name, {})
if 'login_session' not in profile_config:
return None
if EC is None:
raise MissingDependencyException(
msg=\"Using the login credential provider requires an \"
\"additional dependency. You will need to pip install \"
\"\\\"botocore[crt]\\\" before proceeding.\"
)The standalone bundle's lib/ directory contains botocore but no awscrt package, so EC is None and any boto3 client construction in a session whose active profile has login_session fails fatally.
Why this is surprising / hard to diagnose
- The bug is dormant: users with a valid cached
~/.nextstrain/secrets token never hit it, even after login_session is added to AWS config. It only fires when a credential refresh is forced.
- The error blames
pip install \"botocore[crt]\", but for standalone-bundle users pip install has no effect — they don't own the Python environment that owns the failing import.
nextstrain update cli does not currently fix it, since the latest standalone bundle still has the same issue.
Suggested fix
Bundle awscrt into the standalone distribution, equivalent to building the bundle from botocore[crt] (or boto3[crt]) rather than botocore/boto3 alone. This adds a single Rust-compiled wheel (awscrt, ~3 MiB) to the bundle.
User-side workaround (for the docs, until fix lands)
Either:
- Remove the offending
[default] profile from ~/.aws/config (or move login_session into a named non-default profile and rely on AWS_PROFILE to opt in), or
- Install a pip-based
nextstrain-cli with pip install \"nextstrain-cli\" \"boto3[crt]\" into a Python environment of your choice.
This was quite challenging to track down. Bug report from Claude.
Summary
The standalone Nextstrain CLI bundle (
~/.nextstrain/cli-standalone/) shipsbotocore-1.43.0but does not bundlebotocore[crt]. Any user who has alogin_sessionentry in their~/.aws/config(any profile, including[default]) gets a fatalMissingDependencyExceptionfrom everynextstraincommand that resolves AWS credentials — most prominentlynextstrain login.This is invisible to users until either (a) they configure an AWS Identity Center-style login, or (b) their cached nextstrain auth token expires and a refresh is forced through the credential chain.
Environment
~/.nextstrain/cli-standalone/botocoreversion: 1.43.0 (~/.nextstrain/cli-standalone/lib/botocore-1.43.0.dist-info)darwin)Reproduction
~/.aws/configwithlogin_sessionin any active profile (in my case[default]):Root cause
In
botocore 1.43.0, the new "login" credential provider (LoginCredentialProvider.load()inbotocore/credentials.py) raisesMissingDependencyExceptionwhenever the active profile containslogin_sessionandawscrtis not importable. Relevant source:The standalone bundle's
lib/directory containsbotocorebut noawscrtpackage, soEC is Noneand any boto3 client construction in a session whose active profile haslogin_sessionfails fatally.Why this is surprising / hard to diagnose
~/.nextstrain/secretstoken never hit it, even afterlogin_sessionis added to AWS config. It only fires when a credential refresh is forced.pip install \"botocore[crt]\", but for standalone-bundle userspip installhas no effect — they don't own the Python environment that owns the failing import.nextstrain update clidoes not currently fix it, since the latest standalone bundle still has the same issue.Suggested fix
Bundle
awscrtinto the standalone distribution, equivalent to building the bundle frombotocore[crt](orboto3[crt]) rather thanbotocore/boto3alone. This adds a single Rust-compiled wheel (awscrt, ~3 MiB) to the bundle.User-side workaround (for the docs, until fix lands)
Either:
[default]profile from~/.aws/config(or movelogin_sessioninto a named non-default profile and rely onAWS_PROFILEto opt in), ornextstrain-cliwithpip install \"nextstrain-cli\" \"boto3[crt]\"into a Python environment of your choice.