Giters

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Web identity + role fails to validate in the 7.0.0 release

lstoll opened this issue · comments

commented
  • I am using the latest release of AWS Vault
  • I have provided my .aws/config (redacted if necessary)
  • I have provided the debug output using aws-vault --debug (redacted if necessary)

After upgrading to 7.0.0, we're seeing errors:

aws-vault: error: exec: Error getting temporary credentials: profile 'XXXX' has more than one source of credentials

This appears to be related to some new validation code(

aws-vault/vault/config.go

Lines 684 to 709 in ec5e53c

func (c *ProfileConfig) Validate() error {
if c.HasSSOSession() && !c.HasSSOStartURL() {
return fmt.Errorf("profile '%s' has sso_session but no sso_start_url", c.ProfileName)
}
n := 0
if c.HasSSOStartURL() {
n++
}
if c.HasWebIdentity() {
n++
}
if c.HasCredentialProcess() {
n++
}
if c.HasSourceProfile() {
n++
} else if c.HasRole() {
n++
}
if n > 1 {
return fmt.Errorf("profile '%s' has more than one source of credentials", c.ProfileName)
}
return nil
}
), which counts both a role and a web_identity_token_process as two independent sources. However, the web identity provider requires both of these to be set: #587 (comment)

I'm not sure what the motivation with the new validation check was, but I'm guessing we need to only increment the count when a role exists when the web identity file/process is not set.