Open airtonix opened 1 month ago
chrnorm
commented
1 month ago Hi @airtonix, could you please confirm that the shell alias is correctly installed? https://docs.commonfate.io/granted/troubleshooting#manually-configuring-your-shell-profile
You’ll want to ensure that the alias is added to a profile file loaded on your shell startup.
airtonix
commented
1 month ago Hi @airtonix, could you please confirm that the shell alias is correctly installed? docs.commonfate.io/granted/troubleshooting#manually-configuring-your-shell-profile
You’ll want to ensure that the alias is added to a profile file loaded on your shell startup.
ok it's there now and starship shows that it can see my aws profile after running assume.
However I now get
~
❯ assume
? Please select the profile you would like to assume: <SNIP_MYPROFILENAME>
[i] To assume this profile again later without needing to select it, run this command:
> assume <SNIP_MYPROFILENAME>
[✔] [<SNIP_MYPROFILENAME>](<SNIP_MYREGIONNAME>) session credentials will expire in 12 hours
~ on ☁️ <SNIP_MYPROFILENAME> (<SNIP_MYREGIONNAME>)
❯ aws sts get-caller-identity
An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired@airtonix could you please run granted doctor and then select the name of the profile you're having issues with, and post the results here? I suspect you may have a stale token cached in ~/.aws/sso/cache, you can try and clear that directory. If that's the case it seems like we should improve our detection of this within Granted and I'll open an issue to track this.
jazmon
commented
1 month ago Hello, I'm experiencing the same issue (I think).
granted doctor output for me:
➜ granted doctor
[i] Checking your Granted and AWS local configurations to look for common issues...
? Please select the profile you would like to assume: [PROFILE_NAME_OMITTED]
[i] profile selected: [PROFILE_NAME_OMITTED]
[i] profile SSO start URL:
[i] profile region:
[i] Granted doctor will now check the default sso token cache (`~/.aws/sso/cache`), Granted secure storage, and the AWS credentials file to valiate cached tokens.
[i] Checking all cached tokens in secure storage
[!] error retrieving IAM Identity Center token from secure storage: The specified item could not be found in the keyring
[!] [INFO] no cached tokens in secure storage found
[i] Checking commonly found issues in Granted configuration
[!] [INFO] DefaultExportAllEnvVar set to false: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN variables will not be exported to your environment for profiles using credential process. Set this to true if you need this functionality
[i] [RECOMMENDED] Not using Firefox as default browser, we recommend using Firefox to make use of the multi-account containers functionality with Granted.
[✔] Granted Doctor has completed, see diagnostics aboveWe are not using SSO with AWS and I don't have a ~/.aws/sso/cache folder. We're using a credential_process in ~/.aws/config under the default profile. This has worked in the past.
chrnorm
commented
1 month ago Thanks for the report @jazmon, I am wondering if this could be a recent regression somewhere in the project. Could you please share a copy of the affected profile config from ~/.aws/config? (redacting any account IDs etc). I’d like to try and reproduce this so would like to know if you have MFA etc configured on the profile.
jazmon
commented
1 month ago Additional possible note: assume --exec -- /bin/bash works, assume --exec -- /bin/zsh doesn't (I'm on zsh normally)
[default]
region=us-east-1
credential_process = bash -c "~/.aws/our-script.sh"
[profile my_profile]
role_arn=arn:aws:iam::XXXXXXXXX:role/admin
source_profile=defaultThe credential process is a script I'm not able to share but it handles fetching the credentials w/ caching (I've removed caches here) and exports AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
chrnorm
commented
1 month ago Additional possible note:
assume --exec -- /bin/bashworks,assume --exec -- /bin/zshdoesn't (I'm on zsh normally)[default] region=us-east-1 credential_process = bash -c "~/.aws/our-script.sh" [profile my_profile] role_arn=arn:aws:iam::XXXXXXXXX:role/admin source_profile=defaultThe credential process is a script I'm not able to share but it handles fetching the credentials w/ caching (I've removed caches here) and exports
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY
Thanks for the info. Just to confirm, does your credential_process adhere to the expected output format?
It should print a JSON like this to stdout:
{
"Version": 1,
"AccessKeyId": "an AWS access key",
"SecretAccessKey": "your AWS secret access key",
"SessionToken": "the AWS session token for temporary credentials",
"Expiration": "RFC3339 timestamp for when the credentials expire"
} If so, I should be able to try and replicate this with my own bash script. Also, if you happened to know the version of Granted that this was known to be working for that would be fantastic.
jazmon
commented
1 month ago It does actually output that, I didn't see it initially as it was my first time reading through the script so I missed it within the caching logic
title says it all.
I feel like the docs are misleading.
The promised land is this:
The reality for me is this :
but If i do this:
this does not work: