[Feature Request] Support `aws-vault login` for `credential_process` returning temporary credentials
cj-christoph-gysin opened this issue · comments
Similar to #1087, I would like to use aws-vault to start console sessions from cached credentials created by an external process.
Hey @christophgysin1 this should be working in https://github.com/99designs/aws-vault/releases/tag/v7.0.0-alpha1
My issue seem to be that my process only returns temporary credentials, which can't be used to get a federation token.
So my credential_process
doesn't return master credentials. But IIUC it should still be possible to generate a console login URL from these. Any chance this can be supported in aws-vault?
If you can point me in the right direction, I'll happily try to put a PR together.
Since 2ae26fe I now have a workaround:
$ aws-vault exec profile-with-credential-process -- aws-vault login
That successfully logs me in. However:
$ aws-vault login profile-with-credential-process
aws-vault: error: login: profile profile-with-credential-process: No master credentials found
So login
doesn't require master credentials. Any chance we can fix the latter?
This isn't what you're asking for, but I think it accomplishes the desired effect:
# Override functionality of aws-vault
alias aws-vault="awsvault"
function awsvault() {
case $1 in
login)
shift
command aws-vault exec "$@" -- aws-vault login
;;
*)
command aws-vault "$@";;
esac
}
It seems to me that there is no requirement for using master credentials to acquire a federation token. I created a PR that fixes this and still seems to work for all my other profiles.
I've tried a few approaches.
I first tried only using federation token if no session token exist in #1170. It didn't work for profiles without a role_arn
I then tried this, where we use federation token always unless AssumeRole or SSO is being used. But it seems GetFederationToken cannot be used without master creds
$ ./aws-vault login myprofile
aws-vault: error: login: Failed to get credentials: operation error STS: GetFederationToken, https response error StatusCode: 403, RequestID: 6fab2675-d571-4b21-8032-edc9e394b6db, api error AccessDenied: Cannot call GetFederationToken with session credentials