AWS_ROLE_ARN does not work in 7.x.x

jtsoi commented 1 year ago

[x] I am using the latest release of AWS Vault
[x] I have provided my .aws/config (redacted if necessary)
[x] I have provided the debug output using aws-vault --debug (redacted if necessary)

Problem

Hi, I was using AWS_ROLE_ARN=<to-role> aws-vault exec <from-profile> -- <cmd> as outlined in #423, this is working in 6.6.2, but no longer works in 7.0.0, possibly a regression due to new MFA features? I can work around the issue for the moment, but it would be good to know if this is a bug or as intended.

v7.0.0 debug - not working

AWS_ROLE_ARN="arn:aws:iam::[REDACTED]:role/SandboxAdminRole" aws-vault exec jt -- aws s3 ls

2023/03/31 14:56:33 aws-vault v7.0.0
2023/03/31 14:56:33 Using prompt driver: terminal
2023/03/31 14:56:33 Loading config file /home/jt/.aws/config
2023/03/31 14:56:33 Parsing config file /home/jt/.aws/config
2023/03/31 14:56:33 [keyring] Considering backends: [secret-service]
2023/03/31 14:56:33 Using region "eu-west-1" from AWS_REGION
2023/03/31 14:56:33 Using role_arn "arn:aws:iam::[REDACTED]:role/SandboxAdminRole" from AWS_ROLE_ARN
2023/03/31 14:56:33 profile jt: using stored credentials
2023/03/31 14:56:33 profile jt: using AssumeRole (with MFA)
2023/03/31 14:56:33 Setting subprocess env: AWS_REGION=eu-west-1, AWS_DEFAULT_REGION=eu-west-1
2023/03/31 14:56:33 Re-using cached credentials ****************F54M from sts.AssumeRole, expires in 42m26.723449886s
2023/03/31 14:56:33 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/03/31 14:56:33 Setting subprocess env: AWS_SESSION_TOKEN
2023/03/31 14:56:33 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2023/03/31 14:56:33 Exec command aws s3 ls
2023/03/31 14:56:33 Found executable /usr/local/bin/aws

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

v6.6.2 debug - working

AWS_ROLE_ARN="arn:aws:iam::[REDACTED]:role/SandboxAdminRole" aws-vault exec jt -- aws s3 ls

2023/03/31 15:00:10 aws-vault v6.6.2
2023/03/31 15:00:10 Loading config file /home/jt/.aws/config
2023/03/31 15:00:10 Parsing config file /home/jt/.aws/config
2023/03/31 15:00:10 [keyring] Considering backends: [secret-service]
2023/03/31 15:00:10 Using region "eu-west-1" from AWS_REGION
2023/03/31 15:00:10 Using role_arn "arn:aws:iam::[REDACTED]:role/SandboxAdminRole" from AWS_ROLE_ARN
2023/03/31 15:00:10 profile jt: using stored credentials
2023/03/31 15:00:10 profile jt: using GetSessionToken (with MFA)
2023/03/31 15:00:10 profile jt: using AssumeRole (chained MFA)
2023/03/31 15:00:10 Re-using cached credentials ****************AGVD from sts.GetSessionToken, expires in 40m53.594420497s
2023/03/31 15:00:10 Generated credentials ****************TUEN using AssumeRole, expires in 59m59.370899873s
2023/03/31 15:00:10 Setting subprocess env: AWS_DEFAULT_REGION=eu-west-1, AWS_REGION=eu-west-1
2023/03/31 15:00:10 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/03/31 15:00:10 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2023/03/31 15:00:10 Setting subprocess env: AWS_SESSION_EXPIRATION
2023/03/31 15:00:10 Exec command aws s3 ls
2023/03/31 15:00:10 Found executable /usr/local/bin/aws
2022-08-03 10:06:12 [REDACTED]-bucket-1
2022-08-03 10:06:12 [REDACTED]-bucket-2
...

AWS config file

.aws/config (redacted)

[default]
region=eu-west-1
output=json

[profile jt]
mfa_serial=arn:aws:iam::[REDACTED]:mfa/jt

[profile jt-sandbox-admin]
source_profile=jt
mfa_serial=arn:aws:iam::[REDACTED]:mfa/jt
role_arn=arn:aws:iam::[REDACTED]:role/SandboxAdminRole

sajoku commented 1 year ago

I can work around the issue for the moment, but it would be good to know if this is a bug or as intended.

I'm also running into this issue. Could you share how you are working around this? I just downgraded to v6 for the moment.

jtsoi commented 1 year ago

@sajoku, The workaround is not very elegant 😄

Instead of AWS_ROLE_ARN="..." aws-vault exec main -- aws s3 ls

I added all the needed roles into ~/.aws/config like this:

[profile main]
mfa_serial=arn:aws:iam::[REDACTED]:mfa/jt

[profile main-sandbox-role]
source_profile=main
mfa_serial=arn:aws:iam::[REDACTED]:mfa/jt
role_arn=arn:aws:iam::[REDACTED]:role/SandboxAdminRole

And the new call is then: aws-vault exec main-sandbox-role -- aws s3 ls

This seems to work.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

99designs / aws-vault