[x] I have provided my .aws/config (redacted if necessary)
[x] I have provided the debug output using aws-vault --debug (redacted if necessary)
$ aws-vault exec profile --ec2-server --debug
2023/07/12 10:13:57 aws-vault v7.2.0
2023/07/12 10:13:57 Using prompt driver: wincredui
2023/07/12 10:13:57 Loading config file C:\Users\AndreasVinter-Hviid\.aws\config
2023/07/12 10:13:57 Parsing config file C:\Users\AndreasVinter-Hviid\.aws\config
2023/07/12 10:13:57 [keyring] Considering backends: [wincred]
2023/07/12 10:13:57 Profile 'default' missing in config file
2023/07/12 10:13:57 profile profile: using SSO role credentials
2023/07/12 10:13:57 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
aws-vault: error: exec: Another process is already bound to 169.254.169.254:80
The problem
Using aws-vault with the ec2server on windows, my workflow has previously consisted of having setup my system to start aws-vault proxy in the background as administrator on boot. This has allowed me to use the ec2server without having to mess around with administrator shells.
I believe that this type of workflow is the intended usage of the aws-vault proxy cli command. This is based on this error message which gets printed if you try to start the ec2server without being an administrator:
The EC2 Instance Metadata endpoint proxy server isn't running. Run aws-vault proxy as Administrator or root in the background and then try this command again
Since updating to the newest version of aws-vault this no longer works. The proxy server starts up just fine on boot, but when I try to run aws-vault exec --ec2-server I get the following error:
aws-vault: error: exec: Another process is already bound to 169.254.169.254:80
That is not wrong. The proxy server process is bound to that port. That is on purpose. Previously, aws-vault would just use that instance of the proxy server. But now it seems that it fails if it is already running.
Previoulsy there were code in server/ec2server.go which would start the proxy if it was not running. This has been removed (although there is still a code comment indicating that it should be there).
This PR was created to fix issue #1133
The reporter of that issue suggested better debug output and also to shut down that proxy process when the ec2 server instance which created it terminates.
The PR seems primarily concerned with the second point. It appears to attempt to tie the lifetime of the proxy process 1:1 with the lifetime of an ec2-server process. To me, this seems like a major undocumented change in behavior. I also wonder what the point of having a separate proxy process, with a set of aws-vault proxy commands to control it, is if it cannot be managed separately from the ec2-server process.
Suggestion
It seems to me that the previous behavior was better, and that the issue would have been better served by improving debug output/documentation to make it easier to understand what was going on for the reporter.
.aws/config
(redacted if necessary)aws-vault --debug
(redacted if necessary)The problem
Using
aws-vault
with the ec2server on windows, my workflow has previously consisted of having setup my system to startaws-vault proxy
in the background as administrator on boot. This has allowed me to use the ec2server without having to mess around with administrator shells.I believe that this type of workflow is the intended usage of the
aws-vault proxy
cli command. This is based on this error message which gets printed if you try to start the ec2server without being an administrator:Since updating to the newest version of
aws-vault
this no longer works. The proxy server starts up just fine on boot, but when I try to runaws-vault exec --ec2-server
I get the following error:That is not wrong. The proxy server process is bound to that port. That is on purpose. Previously,
aws-vault
would just use that instance of the proxy server. But now it seems that it fails if it is already running.Cause
It seems this was introduced in this PR: https://github.com/99designs/aws-vault/pull/1167/files
In particular, the following code makes sure that the ec2 server cannot start if the proxy is already running.
https://github.com/99designs/aws-vault/blame/e22aea12b03e8ce036e9af87dda9303806fa2a9e/cli/exec.go#L190
Previoulsy there were code in server/ec2server.go which would start the proxy if it was not running. This has been removed (although there is still a code comment indicating that it should be there).
This PR was created to fix issue #1133
The reporter of that issue suggested better debug output and also to shut down that proxy process when the ec2 server instance which created it terminates.
The PR seems primarily concerned with the second point. It appears to attempt to tie the lifetime of the proxy process 1:1 with the lifetime of an ec2-server process. To me, this seems like a major undocumented change in behavior. I also wonder what the point of having a separate proxy process, with a set of
aws-vault proxy
commands to control it, is if it cannot be managed separately from the ec2-server process.Suggestion
It seems to me that the previous behavior was better, and that the issue would have been better served by improving debug output/documentation to make it easier to understand what was going on for the reporter.