aws / session-manager-plugin

This plugin helps you to use the AWS Command Line Interface (AWS CLI) to start and end sessions to your managed instances
Apache License 2.0
260 stars 70 forks source link

Unable to connect to KMS encrypted session when using credential_process in .aws/config #92

Open DougManton opened 7 months ago

DougManton commented 7 months ago

I'd really appreciate your help to find the root cause for a problem authenticating sessions when using session-manager-plugin in combination with KMS session encryption and an external credential_process.

Steps to Reproduce

  1. Windows using latest aws-cli and session-manager-plugin
  2. Use a credential process such as aws-sso-cli to create authentication profiles in the format:
[profile myprofile]
credential_process = c:\aws-sso-cli\aws-sso-cli.exe -u open-url-in-container -S "Default" process --arn arn:aws:iam::123456789:role/myrole
region = us-east-1
  1. Launch an aws ssm session: aws ssm start-session --profile myprofile --target mi-1234567890abcd
  2. Observe an error when session-manager-plugin attempts to call KMS after starting the session:
Starting session with SessionId: myuser@mydomain.com-1234567890abcdef
Level=fatal msg="'\"Default\"'  is not a valid AWS SSO Instance\"

SessionId: myuser@mydomain.com-1234567890abcdef :
----------ERROR-------
Encountered error while initiating handshake.  KMSEncryption failed on client with status 2 error: Failed to process activation KMSEncryption: Error calling KMS GenerateDataKey API: ProcessProvider ExecutionError: error in credential_process caused by: exit status 1

Workarounds

Thoughts on Problem

yuting-fan commented 3 months ago

Hi @DougManton ,

The credentials used by KMS encryption are passed from AWS CLI to the Session Manager plugin. What is the version of AWS CLI you are using? There was a fix done in AWS CLI to correctly pass the credential profile down, and it was released in AWS CLI v2.35.61 and v1.32.116. If you continue to see issues after upgrading to the latest version, please let us know for further investigation.

Regards, Yuting

brad-jones commented 2 months ago

FWIW just modify the generated output of aws-sso config-profiles from -S "Default" to -S Default. It solved a similar issue I had with a terraform stack.

jonBerg24 commented 1 month ago

It also happens when you use an sso-session whose name contains whitespaces as the profile's credentials.