v7.0.0 doesn't support `credentials_process` from shared profile when no session is active

[dgholz]

• [x] I am using the latest release of AWS Vault
• [x] I have provided my .aws/config (redacted if necessary)
• [x] I have provided the debug output using aws-vault --debug (redacted if necessary)

I've tried the new release and can't use profiles that assume roles.

My config:

[profile my-shared-base-profile]
credential_process=aws-vault exec my-shared-base-profile -j
mfa_serial=arn:aws:iam::1234567890:mfa/danielholz
region=eu-west-1

[profile profile-with-role]
source_profile=my-shared-base-profile
include_profile=my-shared-base-profile
region=eu-west-1
role_arn=arn:aws:iam::12345678901:role/allow-view-only-access-from-other-accounts

I ran aws-vault clear to drop any active sessions. After than, aws-vault seems to hang when trying to use it to get the credentials:

$ aws-vault --debug exec my-shared-base-profile -- aws sts get-caller-identity
2023/03/06 17:09:14 aws-vault v7.0.0
2023/03/06 17:09:14 Using prompt driver: osascript
2023/03/06 17:09:14 Loading config file /Users/danielholz/.aws/config
2023/03/06 17:09:14 Parsing config file /Users/danielholz/.aws/config
2023/03/06 17:09:14 [keyring] Considering backends: [keychain]
2023/03/06 17:09:14 Using region "eu-west-1" from AWS_DEFAULT_REGION
2023/03/06 17:09:14 Profile 'default' missing in config file
2023/03/06 17:09:14 profile my-shared-base-profile: using credential process
2023/03/06 17:09:14 Setting subprocess env: AWS_REGION=eu-west-1, AWS_DEFAULT_REGION=eu-west-1
2023/03/06 17:09:14 [keyring] Querying keychain for service="aws-vault", keychain="login.keychain"
2023/03/06 17:09:14 [keyring] Found 2 results
2023/03/06 17:09:14 [keyring] Querying keychain for service="aws-vault", keychain="login.keychain"
2023/03/06 17:09:14 [keyring] Found 2 results
2023/03/06 17:09:14 [keyring] Querying keychain for service="aws-vault", account="credential_process,ZGV2a2l0LXNlY3VyaXR5,,-62135596800", keychain="login.keychain"
2023/03/06 17:09:14 [keyring] No results found
[waited 2 minutes, Ctrl-C]

I can get it to work by logging in with a previous version of aws-vault first & not clearing the session.

I can also get it to work by removing the credentials_process line from the my-shared-base-profile, but then I can't use AWS_PROFILE or aws --profile:

$ aws --profile profile-with-role sts get-caller-identity
The source profile "my-shared-base-profile" must have credentials.

I see this use case documented in USAGE.md, and I can't see how what I'm doing differs. Is this still working?

[dgholz]

Switching the command to the new aws-vault export --format=json my-shared-base-profile didn't change the behaviour, nor did using --no-session (with exec and with export)

[jweyrich]

I'm facing the same problem today. I ran brew update && brew upgrade this morning and now aws-cli commands no longer work - I also use credential_process on my profiles (in ~/.aws/config).

A simple aws --profile MYPROFILE s3 ls (or using aws-vault directly) takes various minutes to show the following error:

aws-vault: error: exec: Failed to get credentials for MYPROFILE: running command "aws-vault exec MYPROFILE --json --no-session": exit status 1

Removing the credential_process fixes the issue, but unfortunately I depend on credential_process for other reasons.

[mtibben]

[profile my-shared-base-profile]
credential_process=aws-vault exec my-shared-base-role -j

@dgholz your config doesn't show any [profile my-shared-base-role] as is referred to in your credential_process. Can you provide it?

What does running aws-vault exec my-shared-base-role -j yourself give you?

I see this use case documented in USAGE.md, and I can't see how what I'm doing differs. Is this still working?

Where in USAGE do you see this?

[dgholz]

@dgholz your config doesn't show any [profile my-shared-base-role] as is referred to in your credential_process. Can you provide it?

typo when redacting, should have been my-shared-base-profile. I updated the config I shared in the original post.

Where in USAGE do you see this?

https://github.com/99designs/aws-vault/blob/master/USAGE.md#invoking-aws-vault-via-credential_process

[onnos]

@dgholz I believe what you want is something like this for v7:

[profile base]
mfa_serial=arn:aws:iam::121212121212:mfa/myusername
region=eu-west-1

[profile base-session]
credential_process=sh -c 'aws-vault --prompt terminal export base --duration 12h --format=json 2> $(tty)'

[profile somerole]
role_arn=arn:aws:iam::242424242424:role/cross-account-role
source_profile=base-session

This works for me (and my team) on different platforms and allows the MFA credentials to be cached. If I understand correctly, somerole invokes base-session, which invokes aws-vault through credential_process and exports the base profile. The tty redirect trick is to ensure things like Terraform pick it up and prompt for the MFA challenge when needed.

I do end up with a duplicate session at the moment when aws-vault is invoked through the SDK (e.g. by calling aws --profile somerole s3 ls):

Profile                  Credentials              Sessions
=======                  ===========              ========
base                     base                     sts.GetSessionToken:7h24m21s
base-session             -                        credential_process:7h24m21s

but that should be fixed by whatever is decided in https://github.com/99designs/aws-vault/issues/1181. With v6 I would just get the sts.GetSessionToken, which is what I expect we'll get back once the new credential_process name overload part can be disabled.

[dgholz]

Thanks, that is exactly the approach we're taking.

[mtibben]

A pre-release fix has been released v7.0.2-beta2 release. Can you please test this and confirm that it fixes this issue

[robdew]

I had this same issue and v7.0.2-beta2 release fixed it.

[mtibben]

Fixed in https://github.com/99designs/aws-vault/pull/1183