Giters

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support for custom STS endpoint

TheNamesJF opened this issue · comments

commented

Greetings!

It looks like aws-vault don't support custom STS endpoint.

I need to specify a custom STS Endpoint because the host has NO Internet access.
Note that the host is a server outside AWS. (aka, On-Prem)
Debug shows it uses regular public facing endpoint sts.amazonaws.com:

aws-vault exec --debug jfb_test
2022/10/07 11:03:17 aws-vault v6.6.0
2022/10/07 11:03:17 Loading config file /home/jfb/.aws/config
2022/10/07 11:03:17 Parsing config file /home/jfb/.aws/config
2022/10/07 11:03:17 [keyring] Considering backends: [file]
2022/10/07 11:03:17 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
2022/10/07 11:03:17 profile jfb_test: using stored credentials
2022/10/07 11:03:17 profile jfb_test: using GetSessionToken
2022/10/07 11:03:17 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
2022/10/07 11:03:17 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
2022/10/07 11:03:17 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
2022/10/07 11:03:17 Looking up keyring for 'jfb_test'
2022/10/07 11:03:17 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
2022/10/07 11:03:17 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
Enter passphrase to unlock "/home/jfb/.awsvault/keys/":
2022/10/07 11:03:20 Looking up keyring for 'jfb_test'
2022/10/07 11:03:20 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
2022/10/07 11:03:20 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
2022/10/07 11:03:22 Looking up keyring for 'jfb_test'
2022/10/07 11:03:22 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
2022/10/07 11:03:22 [keyring] Expanded file dir to /home/jfb/.awsvault/keys/
aws-vault: error: exec: Failed to get credentials for jfb_test: operation error STS: GetSessionToken, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.us-east-1.amazonaws.com/": unexpected EOF

Obviously, the same applies if I try a role:
aws-vault: error: exec: Failed to get credentials for role: operation error STS: AssumeRole, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.us-east-1.amazonaws.com/": unexpected EOF

FYI,
This is how it needs to be done, without Vault:

aws --endpoint-url https://vpce-0[REDACTED]13c-vBLAHk-us-east-1a.sts.us-east-1.vpce.amazonaws.com sts get-caller-identity
{
    "Account": "111122223333",
    "UserId": "AIDAEXAMPLEBLAH",
    "Arn": "arn:aws:iam::111122223333:user/jfb_test"
}

aws --endpoint-url https://vpce-0[REDACTED]13c-vBLAHk-us-east-1a.sts.us-east-1.vpce.amazonaws.com sts assume-role --role-arn arn:aws:iam::111122223333:role/rol_grafana_monitoring --role-session-name blah
{
    "AssumedRoleUser": {
        "AssumedRoleId": "AROAEXAMPLE:blah",
        "Arn": "arn:aws:sts::111122223333:assumed-role/rol_grafana_monitoring/blah"
    },
    "Credentials": {
        "SecretAccessKey": "MjHmdk[REDACTED]8OgiQ+RX",
        "SessionToken": "IQoJ[REDACTED][REDACTED][REDACTED][REDACTED][REDACTED][REDACTED]ItQEwbtEKK3Q=",
        "Expiration": "2022-10-07T16:32:36Z",
        "AccessKeyId": "ASIA[REDACTED]"
    }
}
commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.