Open chrnorm opened 2 years ago
Unfortunately this is not actually working correctly. While with this config, it no longer prompts for a password for the file-based cred-store, it authenticates to SSO every time instead of caching the token.
❯ assume --verbose -c ...
DEBUG: starting update check
2022/09/08 16:27:02 [keyring] Considering backends: [wincred]
DEBUG: GetValidCachedToken: opening keyring: Specified keyring backend not available
The workaround I found for this is to use pass
instead of wincred
. This approach requires gpg
, but is otherwise working smoothly for me.
Per some guidance from @chrnorm, you can create a gpg key to use with granted-cli:
sudo apt install pass
gpg --full-generate-key
pass init E7BF4FFE628F18FCFC3A6C8DC5E556A9DB95E5E5 # your public key ID from previous step
export GPG_TTY=$(tty)
I also add the export
command to my .bashrc so it set automatically:
❯ grep GPG_TTY ~/.bashrc
export GPG_TTY=$(tty)
And then because WSL can open the browser from the windows path just fine, you can setup your granted config like this:
❯ cat ~/.granted/config
DefaultBrowser = "FIREFOX"
CustomBrowserPath = "/c/Program Files/Mozilla Firefox/firefox.exe"
CustomSSOBrowserPath = ""
LastCheckForUpdates = 3
Ordering = ""
ExportCredentialSuffix = ""
[Keyring]
Backend = "pass"
The exact path to the browser may be different on your WSL, depending on how you setup WSL and on how/where you installed the browser. I am using firefox installed to the default path, but in WSL I mount /c
instead of the default /mnt/c
...
I've also extended the default gpg cache ttls so I don't have to input my passkey as frequently:
❯ cat ~/.gnupg/gpg-agent.conf
default-cache-ttl 86400
max-cache-ttl 86400
Thanks for your instructions @lorengordon, however I'm still having issues - maybe someone could help here?
I've installed pass, generated a key and exported GPG_TTY (echo returns /dev/pts/0
).
calling pass
also returns the password store:
Password Store
└── granted-aws-sso-tokens
└── https:
└── d-XXXXXXXXX.awsapps.com
└── start#
Assuming a role works as well, however it seems the authentication token is not being cached. Every time I assume the (same) role, I get prompted for a browser authentication:
$ assume -c --verbose
[DEBUG] profile registry not configured. Skipping auto sync.
? Please select the profile you would like to assume: role_xyz
2022/12/12 15:35:41 [keyring] Considering backends: [pass]
[DEBUG] GetValidCachedToken: The specified item could not be found in the keyring
[i] If the browser does not open automatically, please open this link:
[i] https://device.sso.eu-central-1.amazonaws.com/?user_code=AAAA-BBBB
[i] Awaiting authentication in the browser...
calling granted sso-tokens list only returns one (incorrect - only one "/" after the https:/) URL that doesn't seem to be linked to any profile
$ granted sso-tokens list
https:/d-XXXXXXXXX.awsapps.com/start# ()
meanwhile, when calling the same command in PowerShell (for testing purposes), I do get a cached token after I authenticated once:
> granted sso-tokens list
https://d-XXXXXXXXX.awsapps.com/start#/ (role_xyz)
I did use the granted sso-tokens remove --all
command mentioned in the docs (https://docs.commonfate.io/granted/configuration/), but even then this "invalid" token persists.
Also granted uninstall
doesn't change anything here, after adding the keyring to the config again the issue is the same as before.
The .aws config file is exactly the same in both the WSL and Windows environment:
[profile role_xyz]
credential_process=aws-sso-util credential-process --profile role_xyz
sso_start_url=https://d-XXXXXXXXX.awsapps.com/start#/
sso_region=eu-central-1
sso_account_id=YYYYYYYYYYYY
sso_role_name=AWSAdministratorAccess
region=eu-central-1
cli_history=enabled
max_attempts=10
retry_mode=standard
Would really appreciate if someone could help me get that setup running, happy to provide further details if needed (WSL runs Ubuntu 20.04.5 LTS if that is of relevance)!
Thanks for uploading the workaround! I'm unfortunately getting the same errors as @jakheipcg when using pass.
Would be really nice to get granted working with the "wincred" backend!
Another option I just got working is to use WSLg, and enable systemd in wsl. Then setup gnome-keyring, and configure granted to use it:
[Keyring]
Backend = "secret-service"
The following setting works out of the box for Windows Credential Manager when running Granted in WSL, as reported by a community member.
We should document this so that other WSL users can easily discover it.