Giters

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

aws-vault ec2server cannot utilize an instance of aws-vault proxy that is already running on windows

andreas-foreflight opened this issue · comments

commented
  • I am using the latest release of AWS Vault
  • I have provided my .aws/config (redacted if necessary)
  • I have provided the debug output using aws-vault --debug (redacted if necessary)
    $ aws-vault exec profile --ec2-server --debug
    2023/07/12 10:13:57 aws-vault v7.2.0
    2023/07/12 10:13:57 Using prompt driver: wincredui
    2023/07/12 10:13:57 Loading config file C:\Users\AndreasVinter-Hviid\.aws\config
    2023/07/12 10:13:57 Parsing config file C:\Users\AndreasVinter-Hviid\.aws\config
    2023/07/12 10:13:57 [keyring] Considering backends: [wincred]
    2023/07/12 10:13:57 Profile 'default' missing in config file
    2023/07/12 10:13:57 profile profile: using SSO role credentials
    2023/07/12 10:13:57 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
    aws-vault: error: exec: Another process is already bound to 169.254.169.254:80

The problem

Using aws-vault with the ec2server on windows, my workflow has previously consisted of having setup my system to start aws-vault proxy in the background as administrator on boot. This has allowed me to use the ec2server without having to mess around with administrator shells.

I believe that this type of workflow is the intended usage of the aws-vault proxy cli command. This is based on this error message which gets printed if you try to start the ec2server without being an administrator:

The EC2 Instance Metadata endpoint proxy server isn't running. Run aws-vault proxy as Administrator or root in the background and then try this command again

Since updating to the newest version of aws-vault this no longer works. The proxy server starts up just fine on boot, but when I try to run aws-vault exec --ec2-server I get the following error:

aws-vault: error: exec: Another process is already bound to 169.254.169.254:80

That is not wrong. The proxy server process is bound to that port. That is on purpose. Previously, aws-vault would just use that instance of the proxy server. But now it seems that it fails if it is already running.

Cause

It seems this was introduced in this PR: https://github.com/99designs/aws-vault/pull/1167/files

In particular, the following code makes sure that the ec2 server cannot start if the proxy is already running.

https://github.com/99designs/aws-vault/blame/e22aea12b03e8ce036e9af87dda9303806fa2a9e/cli/exec.go#L190

Previoulsy there were code in server/ec2server.go which would start the proxy if it was not running. This has been removed (although there is still a code comment indicating that it should be there).

This PR was created to fix issue #1133

The reporter of that issue suggested better debug output and also to shut down that proxy process when the ec2 server instance which created it terminates.

The PR seems primarily concerned with the second point. It appears to attempt to tie the lifetime of the proxy process 1:1 with the lifetime of an ec2-server process. To me, this seems like a major undocumented change in behavior. I also wonder what the point of having a separate proxy process, with a set of aws-vault proxy commands to control it, is if it cannot be managed separately from the ec2-server process.

Suggestion

It seems to me that the previous behavior was better, and that the issue would have been better served by improving debug output/documentation to make it easier to understand what was going on for the reporter.