search

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments
MIT License
8.53k stars 822 forks source link

assume a role with AWS-vault termporary credentials #1252

Open teto opened 3 months ago

teto commented 3 months ago

I think I lack knowledge about how AWS works. This might be a generic AWS question but also could be worth making clearer.

I have a role ROLE I successfully assume with

$ aws-vault exec --no-session sandbox aws sts assume-role --role-arn "arn:aws:iam::REDACTED:role/redacted" --role-session-name toto
....
SUCCESSFUL_RESULT
....

now if I run the ~same (without --no-session) command from a aws-vault exec sandbox aws sts assume-role --role-arn "arn:aws:iam::REDACTED:role/redacted" --role-session-name toto

I get

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::REDACTED:user/redacted is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::REDACTED:role/redacted

arn:aws:iam::REDACTED:user/redacted IS allowed to assume the role since outside aws-vault it works. Apparently aws-vault gets me into a special kind of session for my own user (short term credentials) https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html that could limit my capabilities to assume a role ? Reading the doc https://github.com/99designs/aws-vault/blob/master/USAGE.md#session-duration (and the aws official one) I could not find anything about these limitations . did I miss anything in my IAM configuration or is this an aws-vault fault ? would it work with mfa ?

karlkovaciny commented 2 months ago

This error also seems to be blocking me from using AWS Vault to provide SSO credentials to Docker as described in https://github.com/99designs/aws-vault/blob/master/USAGE.md#docker.

seldon007 commented 2 months ago

You can assume the role as part of your aws-vault profile setup e.g. 

[profile sandbox]
mfa_serial=arn:aws:iam::xxxxxx:mfa/my-user
role_arn=arn:aws:iam::xxxxxx:role/REDACTED

then you should have assumed it via stort term credentitals aws-vault --debug exec sandbox -- aws sts get-caller-identity

It that does not work, you need to look at your iam user/role configuration

teto commented 1 month ago

I found out after posting that mfa is mandatory to be able to assume the roles (though nothing in AWS errors indicate that). This is pretty annoying with some software though, for instance https://k8slens.dev/ keeps asking about MFA because I think it creates a new AWS request every ~10sec and aws-vault doesn't seem to cache the credentials so it reprompts for MFA. Is there a trick around it ? It made me disable aws-vault but I would rather reenable it.

seldon007 commented 1 month ago

The above configuration caches my short term credentials for 1 hour (and maybe maximum for short term creds). I only use MFA when getting the initials credentials then again when they expire. It is most likely IAM policies on your aws account that needs to be fixed.

seldon007 commented 1 month ago

I don't think AWS STS requires MFA unless you define it in your IAM Policies. You should remove mfa_serial from aws-vault if you don't need mfa