AWS_ROLE_ARN does not work in 7.x.x
jtsoi opened this issue · comments
- I am using the latest release of AWS Vault
- I have provided my
.aws/config(redacted if necessary) - I have provided the debug output using
aws-vault --debug(redacted if necessary)
Problem
Hi, I was using AWS_ROLE_ARN=<to-role> aws-vault exec <from-profile> -- <cmd> as outlined in #423, this is working in 6.6.2, but no longer works in 7.0.0, possibly a regression due to new MFA features? I can work around the issue for the moment, but it would be good to know if this is a bug or as intended.
v7.0.0 debug - not working
AWS_ROLE_ARN="arn:aws:iam::[REDACTED]:role/SandboxAdminRole" aws-vault exec jt -- aws s3 ls
2023/03/31 14:56:33 aws-vault v7.0.0
2023/03/31 14:56:33 Using prompt driver: terminal
2023/03/31 14:56:33 Loading config file /home/jt/.aws/config
2023/03/31 14:56:33 Parsing config file /home/jt/.aws/config
2023/03/31 14:56:33 [keyring] Considering backends: [secret-service]
2023/03/31 14:56:33 Using region "eu-west-1" from AWS_REGION
2023/03/31 14:56:33 Using role_arn "arn:aws:iam::[REDACTED]:role/SandboxAdminRole" from AWS_ROLE_ARN
2023/03/31 14:56:33 profile jt: using stored credentials
2023/03/31 14:56:33 profile jt: using AssumeRole (with MFA)
2023/03/31 14:56:33 Setting subprocess env: AWS_REGION=eu-west-1, AWS_DEFAULT_REGION=eu-west-1
2023/03/31 14:56:33 Re-using cached credentials ****************F54M from sts.AssumeRole, expires in 42m26.723449886s
2023/03/31 14:56:33 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/03/31 14:56:33 Setting subprocess env: AWS_SESSION_TOKEN
2023/03/31 14:56:33 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2023/03/31 14:56:33 Exec command aws s3 ls
2023/03/31 14:56:33 Found executable /usr/local/bin/aws
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
v6.6.2 debug - working
AWS_ROLE_ARN="arn:aws:iam::[REDACTED]:role/SandboxAdminRole" aws-vault exec jt -- aws s3 ls
2023/03/31 15:00:10 aws-vault v6.6.2
2023/03/31 15:00:10 Loading config file /home/jt/.aws/config
2023/03/31 15:00:10 Parsing config file /home/jt/.aws/config
2023/03/31 15:00:10 [keyring] Considering backends: [secret-service]
2023/03/31 15:00:10 Using region "eu-west-1" from AWS_REGION
2023/03/31 15:00:10 Using role_arn "arn:aws:iam::[REDACTED]:role/SandboxAdminRole" from AWS_ROLE_ARN
2023/03/31 15:00:10 profile jt: using stored credentials
2023/03/31 15:00:10 profile jt: using GetSessionToken (with MFA)
2023/03/31 15:00:10 profile jt: using AssumeRole (chained MFA)
2023/03/31 15:00:10 Re-using cached credentials ****************AGVD from sts.GetSessionToken, expires in 40m53.594420497s
2023/03/31 15:00:10 Generated credentials ****************TUEN using AssumeRole, expires in 59m59.370899873s
2023/03/31 15:00:10 Setting subprocess env: AWS_DEFAULT_REGION=eu-west-1, AWS_REGION=eu-west-1
2023/03/31 15:00:10 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/03/31 15:00:10 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2023/03/31 15:00:10 Setting subprocess env: AWS_SESSION_EXPIRATION
2023/03/31 15:00:10 Exec command aws s3 ls
2023/03/31 15:00:10 Found executable /usr/local/bin/aws
2022-08-03 10:06:12 [REDACTED]-bucket-1
2022-08-03 10:06:12 [REDACTED]-bucket-2
...
AWS config file
.aws/config (redacted)
[default]
region=eu-west-1
output=json
[profile jt]
mfa_serial=arn:aws:iam::[REDACTED]:mfa/jt
[profile jt-sandbox-admin]
source_profile=jt
mfa_serial=arn:aws:iam::[REDACTED]:mfa/jt
role_arn=arn:aws:iam::[REDACTED]:role/SandboxAdminRole
I can work around the issue for the moment, but it would be good to know if this is a bug or as intended.
I'm also running into this issue. Could you share how you are working around this?
I just downgraded to v6 for the moment.
@sajoku, The workaround is not very elegant 😄
Instead of AWS_ROLE_ARN="..." aws-vault exec main -- aws s3 ls
I added all the needed roles into ~/.aws/config like this:
[profile main]
mfa_serial=arn:aws:iam::[REDACTED]:mfa/jt
[profile main-sandbox-role]
source_profile=main
mfa_serial=arn:aws:iam::[REDACTED]:mfa/jt
role_arn=arn:aws:iam::[REDACTED]:role/SandboxAdminRole
And the new call is then:
aws-vault exec main-sandbox-role -- aws s3 ls
This seems to work.