Closed edentsai closed 1 year ago
wknapik
commented
1 year ago I've had to downgrade to 6.x because of this. Not clear how to keep it working with KeePassXC (https://fcivaner.medium.com/how-to-store-your-aws-cli-credentials-on-keepassxc-5429dee1656d, cc @fcivaner).
mtibben
commented
1 year ago Can you reproduce this issue with the latest version v7.1.0 ?
wknapik
commented
1 year ago Yes
mtibben
commented
1 year ago @wknapik aws-vault didn't have credential_process support in v6, so your comment about needing to downgrade to v6 doesn't make sense in the context of this issue. (i.e. this issue is about supporting master creds in credentials_process)
Perhaps you can create a new issue for your problem with a full description and use-case
granescb
commented
1 year ago I have the same issue in v7.1.0 .
` [profile master-profile] output = json region = us-east-1 credential_process=aws-vault export master-user --format=json --no-session
[profile cluster-prod]
output=json
region=us-east-1
mfa_serial=arn:aws:iam::
When I try to use usual commands like
aws start-session <some arguments> --profile cluster-prod
it's working fine.
But when I try to use
aws-vault login cluster-prod
I got an error:
aws-vault: error: login: Failed to get credentials: operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: JSON credential from command "aws-vault export master-user --format=json --no-session" missing the following fields: [Expiration SessionToken]
Looks like it's a bug. I don't think that Expiration SessionToken fields should be necessary here. --no-session flag shouldn't have these fields.
wknapik
commented
1 year ago @mtibben I don't think we're understanding each other. 6.6.2 is working for me and 7.1.0 isn't.
% ./aws-vault-linux-amd64-6.6.2 exec some-account --no-session -- aws sts get-caller-identity
{
"UserId": "some-id",
"Account": "some-account",
"Arn": "some-arn"
}
% ./aws-vault-linux-amd64-7.1.0 exec some-account --no-session -- aws sts get-caller-identity
aws-vault: error: exec: Failed to get credentials for some-account: JSON credential from command "some-credentials-process-script.sh" missing the following fields: [Expiration SessionToken]
%My credentials_process script executes
printf '{ "Version": 1, "AccessKeyId": "%s", "SecretAccessKey": "%s" }\n' "$(secret-tool lookup Title aws-access-key-id)" "$(secret-tool lookup Title aws-secret-access-key)"
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
JoshMcCullough
commented
7 months ago I'm also seeing this and not sure how to get around it.
JoshMcCullough
commented
7 months ago In my case, my AWS config was incorrect (I was using the wrong profile name). Once I called aws-vault export ... with a profile name that actually existed in my AWS config, it worked.
kurtharriger
commented
7 months ago I had this issue today on version 7.2.0 and think figured out the reason.
I initially created my profile with my user name xyz-kurt-harriger
I later edit my config to create a profile with just account alias instead... however I found this did not work correctly.
[profile xyz-kurt-harriger]
credential_process=aws-vault export xyz-kurt-harriger --no-session --format=json
region=eu-west-3
[profile xyz]
credential_process=aws-vault export xyz-kurt-harriger --no-session --format=json
region=eu-west-3I can execute aws-vault login xyz-kurt-harriger successfully, but aws-vault login xyz does not work.
The fix is to use the source_profile instead:
[profile xyz]
source_profile=xyz-kurt-harriger
region=eu-west-3
.aws/config(redacted if necessary)aws-vault --debug(redacted if necessary)My
aws-vaultversion:My
~/.aws/configexample:Run command
aws-vault export --no-session demowill throw an error:I think the error is occured by the following code:
In my opinion, when use
aws-vault export --no-session, the Expiration and SessionToken fields are not required. oraws-vaultcan automatically fetch them by creating STS session with GetSessionToken?thanks.