search

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments
MIT License
8.52k stars 820 forks source link

New release - 7.0.0-doesn't use credential_process? #1175

Closed ArjunDandagi closed 1 year ago

ArjunDandagi commented 1 year ago

The new release is updated to use the sso-session . I am not quite sure if we can still use credential_process with this . I can use credential_process for the legacy sso but not for newly supported sso-session . is it by design?

I tried to play around a bit with no luck 

[default]
region = eu-west-1

[sso-session dev-col]
sso_start_url = https://mycompany.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

[profile dev]
sso_session = dev-col
sso_account_id =123456789012
sso_role_name = READ
region = eu-west-1
credential_process = aws-vault export --format=json dev

with this i tried running a command 

aws s3 ls --profile dev

this doesn't work because , aws-vault also errors when i call aws-vault exec dev -- aws s3 ls

so i had to add another profile that uses the credential_process to call this 

[default]
region = eu-west-1

[sso-session dev-col]
sso_start_url = https://mycompany.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

[profile dev]
credential_process = aws-vault export --format=json dev-cred-process
[profile dev-cred-process]
sso_session = dev-col
sso_account_id = 123456789012
sso_role_name = READ
region = eu-west-1

with this configuration i can use both aws command and aws-vault command on the dev profile .

but i believe this can be optimized?

  1. session login command for aws-vault ?
  2. can we use credential_process within the same block instead of creating another profile just to call this block ?

please correct me if there is any concept i am missing. 🙇

olfway commented 1 year ago

We have similar issue with credential_process

Before 7.0 release aws-vault was ignoring credential_process and config like this was working perfectly:

[profile my-root]
region = eu-west-1
mfa_serial = arn:aws:iam::111111111111:mfa/name
credential_process = env AWS_SDK_LOAD_CONFIG=0 aws-vault --backend=pass --pass-prefix=aws-vault --prompt=osascript exec --region eu-west-1 --duration=3h my-root --json

[profile my-dev]
region = eu-west-1
source_profile = my-root
include_profile = my-root
role_arn = arn:aws:iam::222222222222:role/MyDevRole

We were able to use it like this:

aws sts get-caller-identity --profile my-dev

After 7.0 release aws-vault starts to call credential-process and this config is broken now

2023/03/06 17:53:22 aws-vault 7.0.0-Homebrew
2023/03/06 17:53:22 Using prompt driver: osascript
2023/03/06 17:53:22 Using AWS_CONFIG_FILE value: /Users/myuser/Workspace/aws-dev/.aws/config
2023/03/06 17:53:22 Loading config file /Users/myuser/Workspace/aws-dev/.aws/config
2023/03/06 17:53:22 Parsing config file /Users/myuser/Workspace/aws-dev/.aws/config
2023/03/06 17:53:22 [keyring] Considering backends: [pass]
2023/03/06 17:53:22 Profile 'default' missing in config file
2023/03/06 17:53:22 profile my-root: using credential process
aws-vault: error: exec: Failed to get credentials for my-root: running command "env AWS_SDK_LOAD_CONFIG=0 aws-vault --backend=pass --pass-prefix=aws-vault --prompt=osascript exec --region eu-west-1 --duration=3h my-root --json": fork/exec /bin/sh: resource temporarily unavailable
aws-vault: error: exec: Failed to get credentials for my-root: running command "env AWS_SDK_LOAD_CONFIG=0 aws-vault --backend=pass --pass-prefix=aws-vault --prompt=osascript exec --region eu-west-1 --duration=3h my-root --json": exit status 1
aws-vault: error: exec: Failed to get credentials for my-root: running command "env AWS_SDK_LOAD_CONFIG=0 aws-vault --backend=pass --pass-prefix=aws-vault --prompt=osascript exec --region eu-west-1 --duration=3h my-root --json": exit status 1
....

I also managed to make it working with extra profile:

[profile my-root]
region = eu-west-1
mfa_serial = arn:aws:iam::111111111111:mfa/name

[profile my-root-vault]
credential_process = env AWS_SDK_LOAD_CONFIG=0 aws-vault --backend=pass --pass-prefix=aws-vault --prompt=osascript exec --region eu-west-1 --duration=3h my-root --json

[profile my-dev]
region = eu-west-1
source_profile = my-root-vault
role_arn = arn:aws:iam::222222222222:role/MyDevRole

Is it possible to make it work without extra profile?

Basically I need to run aws cli and I want aws-vault to get my keys from pass backend, ask for mfa code, cache temporary credentials and return them to aws cli

mtibben commented 1 year ago 
[default]
region = eu-west-1

[sso-session dev-col]
sso_start_url = https://mycompany.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

[profile dev]
sso_session = dev-col
sso_account_id =123456789012
sso_role_name = READ
region = eu-west-1
credential_process = aws-vault export --format=json dev

@ArjunDandagi i struggle to understand what the purpose of credential_process here is. Do you have master credentials that you're trying to use? Or are you using SSO. Your config is ambiguous

mtibben commented 1 year ago

Is it possible to make it work without extra profile?

Basically I need to run aws cli and I want aws-vault to get my keys from pass backend, ask for mfa code, cache temporary credentials and return them to aws cli

Using an extra profile seems like the correct approach here @olfway.

My only feedback is that your credential_process command can be simplified to 

[profile my-root-vault]
credential_process = aws-vault --backend=pass --pass-prefix=aws-vault export --format=json --duration=3h my-root
ArjunDandagi commented 1 year ago

i struggle to understand what the purpose of credential_process here is. Do you have master credentials that you're trying to use? Or are you using SSO. Your config is ambiguous

@mtibben , no i don't have any master credentials. I want to make sure both session and profile credentials are stored in keychain via aws-vault and i don't have to invoke aws-vault command everytime (which is why i want to use credential_process).

mtibben commented 1 year ago

@mtibben , no i don't have any master credentials. I want to make sure both session and profile credentials are stored in keychain via aws-vault and i don't have to invoke aws-vault command everytime (which is why i want to use credential_process).

Ah OK, the extra profile sounds like the way to go then.

AWS Vault recognises both sso_session and credentials_process as credential sources now. Sounds like you were relying on these being recognised by aws-cli, but not by aws-vault

mtibben commented 1 year ago

A pre-release fix has been released v7.0.2-beta2 release. Can you please test this and confirm that it fixes this issue @ArjunDandagi @olfway

ArjunDandagi commented 1 year ago

Tried the v7.0.2-beta2 release for my usecase here are my findings

  1. My use case is not supported by AWS Cli itself. AWS will favour the sso settings and start to search for aws session token and ignore credential_process altogether and errors out (since i dont want to store session token to ~/.aws/sso directory)
  2. aws-vault is intended look for stored credentials and hence errors with aws-vault: error: exec: Error getting temporary credentials: profile dev: credentials missing

[sso-session dev-col] sso_start_url = https://mycompany.awsapps.com/start sso_region = eu-west-1 sso_registration_scopes = sso:account:access

[profile dev] sso_session = dev-col sso_account_id =123456789012 sso_role_name = READ region = eu-west-1 credential_process = aws-vault export --format=json dev


- for the same config above aws-vault will error with 
`aws-vault: error: exec: Error getting temporary credentials: profile dev: credentials missing`

I will continue to use adding additional profile to make my cli experience smooth
mtibben commented 1 year ago

Ah I see, you're right the fix won't solve your issue here. A separate profile is the only solution for now