search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
1.01k stars 93 forks source link

Granted is unable to set environment variables on Windows if profile name is longer than 10 characters #464

Closed travisnburton closed 12 months ago

travisnburton commented 12 months ago

Versions Impacted

0.14.3, 0.14.1, 0.7.1

Issue

Given an AWS account named "foo-bar", and an SSO role named "baz". If we ran granted sso populate we would end up with an .aws/config file containing the following:

[profile foo-bar/baz]
granted_sso_start_url      = <snip>
granted_sso_region         = us-east-1
granted_sso_account_id     = <snip>
granted_sso_role_name      = baz
common_fate_generated_from = aws-sso
credential_process         = granted credential-process --profile foo-bar/baz

If we were to assume that role from a Windows machine, the environment variables would not be set correctly, and awscli would fail to authenticate:

> assume foo-bar/baz
[✔] [foo-bar/baz](us-east-1) session credentials will expire in 12 hours

C:\Users\Administrator>aws s3 ls

The config profile (foo-bar/ba) could not be found

C:\Users\Administrator>set | find "AWS"
AWS_ACCESS_KEY_ID=<snip>
AWS_EXECUTION_ENV=EC2
AWS_PROFILE=foo-bar/ba
AWS_SECRET_ACCESS_KEY=<snip>
AWS_SESSION_TOKEN=<snip>
travisnburton commented 12 months ago

Limiting the combined profile name to 10 characters results in a working configuration:

> assume foo-bar/ba
[✔] [foo-bar/ba](us-east-1) session credentials will expire in 12 hours

C:\Users\Administrator>aws s3 ls

C:\Users\Administrator>set | find "AWS"
AWS_ACCESS_KEY_ID=<snip>
AWS_EXECUTION_ENV=EC2
AWS_PROFILE=foo-bar/ba
AWS_SECRET_ACCESS_KEY=<snip>
AWS_SESSION_TOKEN=<snip>
travisnburton commented 12 months ago

The issue is actually due to the 1024 character limit in Windows which is being hit in assume.bat when calling set /p ASSUME_OUTPUT=<%TEMP%\temp-assume.txt

Confirmed the fix in https://github.com/common-fate/granted/pull/465 correctly addresses this issue.