Background:
I don't use granted credentials rotate for credential rotation due to #388 . Instead I use aws-vault rotate and then export the creds to be imported/updated into granted.
Reproduce:
Rotate IAM access key and secret access key by whatever means.
granted credentials update <profile>
aws sts get-caller-identity --profile <profile> # Old session credentials will be used and user will get an error.
Output:
❯ aws-vault rotate default -n
Rotating credentials stored for profile 'default' using master credentials (takes 10-20 seconds)
Creating a new access key
Created new access key ****************<REDACTED>
Deleting old access key ****************<REDACTED>
Deleted old access key ****************<REDACTED>
Finished rotating access key
❯ aws-vault export default -n
<REDACTED>
❯ granted credentials update default
? Access Key ID: <REDACTED>
? Secret Access Key: ****************************************
Updated default in secure storage
❯ aws sts get-caller-identity --profile default
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
Workaround:
Use granted cache clear to clear the session-credentials for the affected profile.
Independent of how granted credentials rotate is implemented #388 , I believe granted credentials update should still clear the session-credentials after import.
Background: I don't use
granted credentials rotate
for credential rotation due to #388 . Instead I useaws-vault rotate
and then export the creds to be imported/updated into granted.Reproduce:
granted credentials update <profile>
aws sts get-caller-identity --profile <profile>
# Old session credentials will be used and user will get an error.Output:
Workaround: Use
granted cache clear
to clear thesession-credentials
for the affected profile.Independent of how
granted credentials rotate
is implemented #388 , I believegranted credentials update
should still clear thesession-credentials
after import.Thanks!