v7.0.0 doesn't support `credentials_process` from shared profile when no session is active
dgholz opened this issue · comments
- I am using the latest release of AWS Vault
- I have provided my
.aws/config
(redacted if necessary) - I have provided the debug output using
aws-vault --debug
(redacted if necessary)
I've tried the new release and can't use profiles that assume roles.
My config:
[profile my-shared-base-profile]
credential_process=aws-vault exec my-shared-base-profile -j
mfa_serial=arn:aws:iam::1234567890:mfa/danielholz
region=eu-west-1
[profile profile-with-role]
source_profile=my-shared-base-profile
include_profile=my-shared-base-profile
region=eu-west-1
role_arn=arn:aws:iam::12345678901:role/allow-view-only-access-from-other-accounts
I ran aws-vault clear
to drop any active sessions. After than, aws-vault
seems to hang when trying to use it to get the credentials:
$ aws-vault --debug exec my-shared-base-profile -- aws sts get-caller-identity
2023/03/06 17:09:14 aws-vault v7.0.0
2023/03/06 17:09:14 Using prompt driver: osascript
2023/03/06 17:09:14 Loading config file /Users/danielholz/.aws/config
2023/03/06 17:09:14 Parsing config file /Users/danielholz/.aws/config
2023/03/06 17:09:14 [keyring] Considering backends: [keychain]
2023/03/06 17:09:14 Using region "eu-west-1" from AWS_DEFAULT_REGION
2023/03/06 17:09:14 Profile 'default' missing in config file
2023/03/06 17:09:14 profile my-shared-base-profile: using credential process
2023/03/06 17:09:14 Setting subprocess env: AWS_REGION=eu-west-1, AWS_DEFAULT_REGION=eu-west-1
2023/03/06 17:09:14 [keyring] Querying keychain for service="aws-vault", keychain="login.keychain"
2023/03/06 17:09:14 [keyring] Found 2 results
2023/03/06 17:09:14 [keyring] Querying keychain for service="aws-vault", keychain="login.keychain"
2023/03/06 17:09:14 [keyring] Found 2 results
2023/03/06 17:09:14 [keyring] Querying keychain for service="aws-vault", account="credential_process,ZGV2a2l0LXNlY3VyaXR5,,-62135596800", keychain="login.keychain"
2023/03/06 17:09:14 [keyring] No results found
[waited 2 minutes, Ctrl-C]
I can get it to work by logging in with a previous version of aws-vault
first & not clearing the session.
I can also get it to work by removing the credentials_process
line from the my-shared-base-profile
, but then I can't use AWS_PROFILE
or aws --profile
:
$ aws --profile profile-with-role sts get-caller-identity
The source profile "my-shared-base-profile" must have credentials.
I see this use case documented in USAGE.md, and I can't see how what I'm doing differs. Is this still working?
Switching the command to the new aws-vault export --format=json my-shared-base-profile
didn't change the behaviour, nor did using --no-session
(with exec
and with export
)
I'm facing the same problem today. I ran brew update && brew upgrade
this morning and now aws-cli commands no longer work - I also use credential_process
on my profiles (in ~/.aws/config
).
A simple aws --profile MYPROFILE s3 ls
(or using aws-vault
directly) takes various minutes to show the following error:
aws-vault: error: exec: Failed to get credentials for MYPROFILE: running command "aws-vault exec MYPROFILE --json --no-session": exit status 1
Removing the credential_process
fixes the issue, but unfortunately I depend on credential_process
for other reasons.
[profile my-shared-base-profile] credential_process=aws-vault exec my-shared-base-role -j
@dgholz your config doesn't show any [profile my-shared-base-role]
as is referred to in your credential_process. Can you provide it?
What does running aws-vault exec my-shared-base-role -j
yourself give you?
I see this use case documented in USAGE.md, and I can't see how what I'm doing differs. Is this still working?
Where in USAGE do you see this?
@dgholz your config doesn't show any
[profile my-shared-base-role]
as is referred to in your credential_process. Can you provide it?
typo when redacting, should have been my-shared-base-profile
. I updated the config I shared in the original post.
Where in USAGE do you see this?
@dgholz I believe what you want is something like this for v7:
[profile base]
mfa_serial=arn:aws:iam::121212121212:mfa/myusername
region=eu-west-1
[profile base-session]
credential_process=sh -c 'aws-vault --prompt terminal export base --duration 12h --format=json 2> $(tty)'
[profile somerole]
role_arn=arn:aws:iam::242424242424:role/cross-account-role
source_profile=base-session
This works for me (and my team) on different platforms and allows the MFA credentials to be cached. If I understand correctly, somerole
invokes base-session
, which invokes aws-vault
through credential_process
and exports the base
profile. The tty
redirect trick is to ensure things like Terraform pick it up and prompt for the MFA challenge when needed.
I do end up with a duplicate session at the moment when aws-vault
is invoked through the SDK (e.g. by calling aws --profile somerole s3 ls
):
Profile Credentials Sessions
======= =========== ========
base base sts.GetSessionToken:7h24m21s
base-session - credential_process:7h24m21s
but that should be fixed by whatever is decided in #1181. With v6 I would just get the sts.GetSessionToken
, which is what I expect we'll get back once the new credential_process
name overload part can be disabled.
Thanks, that is exactly the approach we're taking.
A pre-release fix has been released v7.0.2-beta2 release. Can you please test this and confirm that it fixes this issue
I had this same issue and v7.0.2-beta2 release fixed it.
Fixed in #1183