[Feature Request] Support `aws-vault login` for `credential_process` returning temporary credentials

Question

[Feature Request] Support `aws-vault login` for `credential_process` returning temporary credentials

cj-christoph-gysin opened this issue a year ago · comments

Similar to #1087, I would like to use aws-vault to start console sessions from cached credentials created by an external process.

Michael Tibben · Answer 1 · Mon Feb 13 2023 08:27:58 GMT+0800 (China Standard Time)

Hey @christophgysin1 this should be working in https://github.com/99designs/aws-vault/releases/tag/v7.0.0-alpha1

Christoph Gysin · Answer 2 · Mon Feb 13 2023 15:09:47 GMT+0800 (China Standard Time)

~~My issue seem to be that my process only returns temporary credentials, which can't be used to get a federation token.~~

Christoph Gysin · Answer 3 · Wed Feb 15 2023 06:12:42 GMT+0800 (China Standard Time)

So my credential_process doesn't return master credentials. But IIUC it should still be possible to generate a console login URL from these. Any chance this can be supported in aws-vault?

If you can point me in the right direction, I'll happily try to put a PR together.

Christoph Gysin · Answer 4 · Wed Feb 22 2023 14:17:14 GMT+0800 (China Standard Time)

Since 2ae26fe I now have a workaround:

$ aws-vault exec profile-with-credential-process -- aws-vault login

That successfully logs me in. However:

$ aws-vault login profile-with-credential-process
aws-vault: error: login: profile profile-with-credential-process: No master credentials found

So login doesn't require master credentials. Any chance we can fix the latter?

Arthur Burkart · Answer 5 · Sat Feb 25 2023 01:05:56 GMT+0800 (China Standard Time)

This isn't what you're asking for, but I think it accomplishes the desired effect:

# Override functionality of aws-vault
alias aws-vault="awsvault"
function awsvault() {
  case $1 in
    login)
      shift
      command aws-vault exec "$@" -- aws-vault login
      ;;
    *)
      command aws-vault "$@";;
  esac
}

Christoph Gysin · Answer 6 · Wed Mar 01 2023 04:26:31 GMT+0800 (China Standard Time)

It seems to me that there is no requirement for using master credentials to acquire a federation token. I created a PR that fixes this and still seems to work for all my other profiles.

Michael Tibben · Answer 7 · Wed Mar 01 2023 18:14:32 GMT+0800 (China Standard Time)

I've tried a few approaches.

I first tried only using federation token if no session token exist in #1170. It didn't work for profiles without a role_arn

I then tried this, where we use federation token always unless AssumeRole or SSO is being used. But it seems GetFederationToken cannot be used without master creds

$ ./aws-vault login myprofile
aws-vault: error: login: Failed to get credentials: operation error STS: GetFederationToken, https response error StatusCode: 403, RequestID: 6fab2675-d571-4b21-8032-edc9e394b6db, api error AccessDenied: Cannot call GetFederationToken with session credentials