Segfault when using ecs-server mode and /role-arn url
frco9 opened this issue · comments
- I am using the latest release of AWS Vault
- I have provided my
.aws/config
(redacted if necessary) - I have provided the debug output using
aws-vault --debug
(redacted if necessary)
Here is my .aws/config
:
[profile eh-dev02]
region = eu-central-1
When using aws-vault in ecs server mode, I have a segfault when using the /role-arn
route.
2023/03/15 16:45:21 aws-vault 7.1.0-Homebrew
2023/03/15 16:45:21 Using prompt driver: osascript
2023/03/15 16:45:21 Loading config file /Users/j.foucault/.aws/config
2023/03/15 16:45:21 Parsing config file /Users/j.foucault/.aws/config
2023/03/15 16:45:21 [keyring] Considering backends: [keychain]
2023/03/15 16:45:21 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/03/15 16:45:21 [keyring] Found 5 results
2023/03/15 16:45:21 profile eh-dev02: using stored credentials
2023/03/15 16:45:21 profile eh-dev02: using GetSessionToken
2023/03/15 16:45:21 Setting subprocess env: AWS_REGION=eu-central-1, AWS_DEFAULT_REGION=eu-central-1
2023/03/15 16:45:21 Starting a local ECS credential server; your app's AWS sdk must support AWS_CONTAINER_CREDENTIALS_FULL_URI.
2023/03/15 16:45:21 Setting subprocess env AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_CONTAINER_AUTHORIZATION_TOKEN
2023/03/15 16:45:21 Starting a subprocess: docker compose up --build aws-vault-proxy
[+] Building 1.0s (9/9) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 32B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/golang:1.17 0.9s
=> [internal] load build context 0.0s
=> => transferring context: 111B 0.0s
=> [1/4] FROM docker.io/library/golang:1.17@sha256:87262e4a4c7db56158a80a18fefdc4fee5accc41b59cde821e691d05541bbb18 0.0s
=> CACHED [2/4] WORKDIR /usr/src/aws-vault-proxy 0.0s
=> CACHED [3/4] COPY . /usr/src/aws-vault-proxy 0.0s
=> CACHED [4/4] RUN go build -v -o /usr/local/bin/aws-vault-proxy ./... 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:51f4ab94b15599046f049c632846a17102d399c00869348aede96d0c403eeb6d 0.0s
=> => naming to docker.io/library/amp-local-dev_aws-vault-proxy 0.0s
[+] Running 0/0
[+] Running 1/1p-local-dev-aws-vault-proxy-1 Recreate 0.0s
⠿ Container amp-local-dev-aws-vault-proxy-1 Recreated 0.2s
Attaching to amp-local-dev-aws-vault-proxy-1
amp-local-dev-aws-vault-proxy-1 | 2023/03/15 15:45:23 reverse proxying target:http://host.docker.internal:51570 auth:*******
panic: runtime error: invalid memory address or nil pointer dereference
runtime/debug.Stack()
/opt/homebrew/Cellar/go/1.20.2/libexec/src/runtime/debug/stack.go:24 +0x64
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight.newPanicError({0x102792220?, 0x102b0c710})
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/internal/sync/singleflight/singleflight.go:33 +0x28
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight.(*Group).doCall.func2.1()
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/internal/sync/singleflight/singleflight.go:186 +0x40
panic({0x102792220, 0x102b0c710})
/opt/homebrew/Cellar/go/1.20.2/libexec/src/runtime/panic.go:884 +0x1f4
github.com/99designs/aws-vault/v7/vault.(*Mfa).GetMfaSerial(...)
/private/tmp/aws-vault-20230313-4300-1p2g1w7/aws-vault-7.1.0/vault/mfa.go:33
github.com/99designs/aws-vault/v7/vault.(*AssumeRoleProvider).assumeRole(0x140001ac100, {0x10281fe60, 0x1400018e140})
/private/tmp/aws-vault-20230313-4300-1p2g1w7/aws-vault-7.1.0/vault/assumeroleprovider.go:65 +0x208
github.com/99designs/aws-vault/v7/vault.(*AssumeRoleProvider).Retrieve(0x10a0c3488?, {0x10281fe60?, 0x1400018e140?})
/private/tmp/aws-vault-20230313-4300-1p2g1w7/aws-vault-7.1.0/vault/assumeroleprovider.go:29 +0x40
github.com/aws/aws-sdk-go-v2/aws.(*CredentialsCache).singleRetrieve(0x140001b6100, {0x10281fe60, 0x1400018e140})
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/aws/credential_cache.go:120 +0x138
github.com/aws/aws-sdk-go-v2/aws.(*CredentialsCache).Retrieve.func1()
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/aws/credential_cache.go:104 +0x7c
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight.(*Group).doCall.func2(0x14000121f46, 0x140001b2120, 0x0?)
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/internal/sync/singleflight/singleflight.go:191 +0x60
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight.(*Group).doCall(0x0?, 0x0?, {0x0?, 0x0?}, 0x0?)
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/internal/sync/singleflight/singleflight.go:193 +0x84
created by github.com/aws/aws-sdk-go-v2/internal/sync/singleflight.(*Group).DoChan
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/internal/sync/singleflight/singleflight.go:131 +0x388
goroutine 22 [running]:
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight.(*Group).doCall.func1.2()
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/internal/sync/singleflight/singleflight.go:160 +0x2c
created by github.com/aws/aws-sdk-go-v2/internal/sync/singleflight.(*Group).doCall.func1
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/aws/aws-sdk-go-v2@v1.17.5/internal/sync/singleflight/singleflight.go:160 +0x284
amp-local-dev-aws-vault-proxy-1 | 2023/03/15 15:45:30 http: proxy error: EOF
amp-local-dev-aws-vault-proxy-1 | 169.254.170.3 - - [15/Mar/2023:15:45:30 +0000] "GET /role-arn/arn:aws:iam::****:role/role-my-role-arn HTTP/1.1" 502 0
It seems to be linked to an issue with MfaSerial, thing is I have no mfa setup for this aws profile.