`aws-vault login` not working
matthewhembree opened this issue · comments
- I am using the latest release of AWS Vault
- I have provided my
.aws/config(redacted if necessary) - I have provided the debug output using
aws-vault --debug(redacted if necessary)
This is occurring with a new laptop that I got yesterday. I see there are new releases that might be relevant to this breakage. It's likely that I haven't updated things in a while on my previous laptop.
Output from browser:
Text for search:
Only federation tokens or assume role tokens may be used for federated login. Please contact your administrator.
~/.aws/config (snippet):
[default]
region=us-west-2
output=json
credential_process=/opt/homebrew/bin/aws-vault exec default --json --no-session
debug output:
aws-vault login default --debug
2023/03/17 12:10:41 aws-vault v7.1.1
2023/03/17 12:10:41 Using prompt driver: terminal
2023/03/17 12:10:41 [keyring] Considering backends: [keychain]
2023/03/17 12:10:41 Loading config file /Users/username/.aws/config
2023/03/17 12:10:41 Parsing config file /Users/username/.aws/config
2023/03/17 12:10:41 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/03/17 12:10:41 [keyring] Found 3 results
2023/03/17 12:10:41 profile default: using stored credentials
2023/03/17 12:10:41 profile default: using GetSessionToken
2023/03/17 12:10:41 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/03/17 12:10:41 [keyring] Found 3 results
2023/03/17 12:10:41 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/03/17 12:10:41 [keyring] Found 3 results
2023/03/17 12:10:41 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,ZGVmYXVsdA,,1679076560", keychain="aws-vault.keychain"
2023/03/17 12:10:41 [keyring] Found item "aws-vault session for default (expires 2023-03-17T18:09:20Z)"
2023/03/17 12:10:41 Re-using cached credentials ****************QXUN from sts.GetSessionToken, expires in 58m38.815681s
2023/03/17 12:10:41 Creating login token, expires in 58m38.815649s
Should this call sts.GetFederationToken instead?
edit: added text for searching.
I also tried using:
credential_process=/opt/homebrew/bin/aws-vault export default --format=json --no-session
Same result/error.
Works on v6.6.1 (uses GetFederationToken):
debug output:
av login default --debug
2023/03/17 12:38:07 aws-vault v6.6.1
2023/03/17 12:38:07 [keyring] Considering backends: [keychain]
2023/03/17 12:38:07 Loading config file /Users/username/.aws/config
2023/03/17 12:38:07 Parsing config file /Users/username/.aws/config
2023/03/17 12:38:07 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/03/17 12:38:07 [keyring] Found 3 results
2023/03/17 12:38:07 Looking up keyring for 'default'
2023/03/17 12:38:07 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2023/03/17 12:38:07 [keyring] Found item "aws-vault (default)"
2023/03/17 12:38:08 Using GetFederationToken for credentials
2023/03/17 12:38:08 Looking up keyring for 'default'
2023/03/17 12:38:08 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2023/03/17 12:38:08 [keyring] Found item "aws-vault (default)"
2023/03/17 12:38:08 Generated credentials ****************WSNO using GetFederationToken, expires in 59m59.599642s
2023/03/17 12:38:08 Creating login token, expires in 59m59.599539s
@matthewhembree can you please test if v7.2.0-beta1 fixes your problem?
@mtibben yes, that resolves the issue. Validated with AWS and AWS-China.
Thanks!