fpco / devops-helpers

Devops helper scripts
28 stars 8 forks source link

source_profile cannot be the same as profile #6

Open neilmayhew opened 6 years ago

neilmayhew commented 6 years ago

I had a setup with a profile called xxx in ~/.aws/config and a source profile called xxx in ~/.aws/credentials. This seemed logical to me and it worked with plain aws, ie aws --profile xxx. However, it confuses aws-env --profile xxx. Trying to run any command results in:

An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

At the least this restriction should be documented, and ideally it should be removed.

borsboom commented 6 years ago

Does the xxx profile in ~/.aws/config have an mfa_serial or role_arn? If so, I think I know why this would be problematic. aws-env uses aws --profile="$SRC_PROFILE" sts get-session-token when creating session credentials for MFA, but aws will implicitly create session credentials before making the STS API call (which can't be called with session credentials). I can't think of a trivial fix for this. One possibility: aws-env would have to parse ~/.aws/credentials itself and then set the AWS_* environment variables with those, rather than using aws --profile.