Open pwillis-els opened 3 years ago
The linux keyring implementation is here: https://github.com/Versent/saml2aws/blob/master/helper/linuxkeyring/linuxkeyring.go
It seems to be using three keyring backends:
AllowedBackends: []keyring.BackendType{
keyring.KWalletBackend,
keyring.SecretServiceBackend,
keyring.PassBackend,
},
Given you're not running a desktop, I suspect you'll fall into the Pass
backend:
https://www.passwordstore.org/
I haven't looked deeply into it, but I think it's storing your keys into a file called .password-store
.
I was able to solve this for pass
. I still don't know how the other keychains work...
In addition, I got the credential_process
feature to work, which enables AWS CLI to automatically refresh my credentials (using non-interactive MFA) so I'm adding all of it below.
This is for Ubuntu Linux 18.04.5, using pass
, git
, gpg
, saml2aws
, and AWS CLI (v1).
$ sudo apt-get install gnupg2
$ gpg -v --quick-generate-key EMAIL-ADDRESS
$ pass init EMAIL-ADDRESS
$ pass git init
$ saml2aws configure
Set up AWS config file ~/.aws/config
:
[profile nonprod]
region = us-east-1
output = json
credential_process = saml2aws login --skip-prompt --quiet --credential-process --role arn:aws:iam::NONPRODAWSACCTID:role/ROLENAME --profile nonprod-saml2aws
[profile production]
region = us-east-1
output = json
credential_process = saml2aws login --skip-prompt --quiet --credential-process --role arn:aws:iam::PRODAWSACCTID:role/ROLENAME --profile production-saml2aws
$ saml2aws list-roles --skip-prompt
aws --profile production s3 ls
NOTE: You must use either a fully-qualified path with a custom --credentials-file
, or a different --profile
argument for saml2aws. Otherwise, the credentials for the AWS profile will be stored in the default ~/.aws/credentials
file. When the credentials expire, AWS will load those credentials for the AWS profile before running credential_process, leading to AWS refusing to refresh your session once it expires.
NOTE 2: If you use pass
and gpg
as above, and your system defaults to using pinentry-curses or pinentry-tty, your shell's .profile
MUST export the following environment variable, or the pinentry
program used by gpg
will not be able to read your password in the correct terminal:
export GPG_TTY=$(tty)
Stumbled over this old discussion while looking for a keyring backend for MacOS. While I was able to configure saml2aws
to use the pass
backend on Ubuntu Linux, adhering to the README, I followed the same sequence of steps on MacOS, but without success.
After running:
saml2aws configure
? Please choose a provider: AzureAD
? Please choose an MFA Auto
? AWS Profile default
? URL https://account.activedirectory.windowsazure.com
? Username ***
? App ID ***
? Password ***
? Confirm ***
account {
AppID: ***
URL: https://account.activedirectory.windowsazure.com
Username: ***
Provider: AzureAD
MFA: Auto
SkipVerify: false
AmazonWebservicesURN: urn:amazon:webservices
SessionDuration: 7200
Profile: default
RoleARN:
Region:
}
Configuration saved for IDP account: default
the command pass list
does not show any entry saml2aws
, unlike on Linux.
MacOS Sonoma 14.5 on MacBook Pro M2 (arm architecture)
saml2aws
version 2.36.15
pass
version 1.7.4 installed with Brew
The only workaround I found is adding a line to .zshrc
like this:
export SAML2AWS_PASSWORD=$(pass show azuread)
where azuread
represents my own manual entry for the Azure AD password.
Am I missing something? Or is pass
backend for saml2aws
simply not an option on MacOS?
Any docs on how to use the keychain on a server instance that doesn't have a GUI keychain installed? I'm really out of touch, because I did a bunch of googling, and still have absolutely no clue how to use the keychain function of saml2aws in a regular stripped-down text-only Linux server. I don't write Go, so looking into the Linux documentation on keyring, and the Go modules, have provided very little context of how to actually set up and use the keychain/keyring.
Thank you