[Amazon AWS] Support for AWS Vault

[themanontv]

Extension – Amazon AWS

Author: @victor-falcon

It would be great if the AWS extension for Raycast supported AWS Vault as this is a common way people store AWS Credentials

Describe the feature and the current behavior/state. The feature would involve using AWS vault to get credentials for an AWS profile as well as the current situation of just using the ~/.aws/credentials file

Who will benefit with this feature? AWS professionals who need to store sensitive credentials and want a secure way to store them but also want the convenience of using Raycast

Any Other info. Ideally there should be a way to select the current profile being used as typically there will be many within a vault. https://github.com/99designs/aws-vault

[stale[bot]]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs in the next 7 days to keep our backlog clean 😊

[themanontv]

I would still like this feature doing as it would be incredibly useful

[themanontv]

Accidentally closed the issue with a slip of the finger :)

[JonathanWbn]

@themanontv Does #3612 solve your problem?

[themanontv]

@themanontv Does #3612 solve your problem?

It doesn't no, AWS vault is a method of storing AWS profiles. It's certainly a partial workaround but for people that want to securely hold credentials it's not a proper solution.

[themanontv]

@JonathanWbn If you try to use the extension with AWS vault then you get a challenge for MFA that the extension doesn't know how to handle like in the screenshot below. This seems like it's theoretically possible to add this to this extension?

I'll give you the link to AWS vault https://github.com/99designs/aws-vault

[themanontv]

Potentially this could be solved by presenting the MFA code prompt to the user to respond to

[JonathanWbn]

@themanontv Yes, with the latest changes we have certainly moved closer to supporting aws-vault. I have this on my list of things I'd like to improve.

[stale[bot]]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs in the next 7 days to keep our backlog clean 😊

[themanontv]

I would still like this ticket to be in the backlog

[JonathanWbn]

I've been looking into this and found this thing called credential_process. This is part of the config and will be used by the AWS JavaScript SDK to retrieve the credentials. I have tested this and it seems to work without any changes to the library.

I added this to my config after running aws-vault add test:

[profile test]
region=eu-central-1
credential_process=aws-vault exec test --json

@themanontv Could you test this as well and let me know how that is working for you? If it works, I would suggest just extending the docs with a little hint about this solution for aws-vault users.

[themanontv]

I've tested this and i'm still not getting any joy @JonathanWbn, the issue appears to be MFA that's holding this back so maybe it's not an aws-vault specific issue. Although, having said that, I would guess most aws-vault users if not all are using MFA due to this section from the docs. I've attached the screenshot below with the error but it's basically the same issue as before.

[JonathanWbn]

@themanontv When testing did you specify the --prompt option? The docs suggest doing something like this:

credential_process = aws-vault exec work --json --prompt=osascript

[themanontv]

@JonathanWbn Yes, i've tried that and sadly I get the same result

[raycastbot]

This issue has been automatically marked as stale because it did not have any recent activity.

It will be closed if no further activity occurs in the next 10 days to keep our backlog clean 😊

[themanontv]

This is still a worthwhile issue to work on

[JonathanWbn]

I think I've finally found a way to solve this in #5711. @themanontv could you give it a spin?

[themanontv]

@JonathanWbn I sure can, I also have something that could help too. Is this already in the extension?

[JonathanWbn]

@themanontv No, it's an open PR. You can check out the PR and run cd extensions/amazon-aws && npm install && npm run dev to run it locally.

[themanontv]

Ok, i've checked out the code but I'm not able to run it... I've checked out the PR you sent but i'm getting the following error:

[JonathanWbn]

@themanontv I have corrected the command. It's npm i (or npm install) without the run part.

[themanontv]

@JonathanWbn I've run the install now, I'm wondering if there's something missing here.

If I do the `npm run dev' command I get similar issues too unfortunately.

[themanontv]

In other news, I found this method of getting text via applescript in the terminal if this is helpful?

# Read the input from the user using applescript
read -r -d '' applescriptCode <<'EOF'
   set dialogText to text returned of (display dialog "What do you want to enter?" default answer "")
   return dialogText
EOF

dialogText=$(osascript -e "$applescriptCode");

[JonathanWbn]

@themanontv When you have npm run dev running and open a AWS command, do you see this disk icon appear in green? If not, you are not using the local version but the published version.

[themanontv]

@JonathanWbn Yes, it goes green i'm afraid.

[themanontv]

I get this error in the console:

> dev
> ray develop

info  -  entry points [src/ec2.tsx src/ecs.tsx src/sqs.tsx src/codepipeline.tsx src/console.tsx src/cloudformation.tsx src/lambda.tsx src/dynamodb.tsx src/s3.tsx src/cloudwatch.tsx src/ssm.tsx src/secrets.tsx src/run-profile-script.tsx]
ready -  built extension successfully
10:45:02.535 CredentialsProviderError: Profile <redacted> requires multi-factor authentication, but no MFA code callback was provided.
    at resolveAssumeRoleCredentials (/Users/<redacted>/.config/raycast/extensions/aws/lambda.js:30511:17)
    at resolveProfileData (/Users/<redacted>/.config/raycast/extensions/aws/lambda.js:41128:80)
    at /Users/<redacted>/.config/raycast/extensions/aws/lambda.js:41155:58
    at async coalesceProvider (/Users/<redacted>/.config/raycast/extensions/aws/lambda.js:20587:22)
    at async SignatureV4.credentialProvider (/Users/<redacted>/.config/raycast/extensions/aws/lambda.js:20605:22)
    at async SignatureV4.signRequest (/Users/<redacted>/.config/raycast/extensions/aws/lambda.js:22008:29)
    at async /Users/<redacted>/.config/raycast/extensions/aws/lambda.js:22288:18
    at async StandardRetryStrategy.retry (/Users/<redacted>/.config/raycast/extensions/aws/lambda.js:19356:42)
    at async /Users/<redacted>/.config/raycast/extensions/aws/lambda.js:18018:24
    at async Object.fetchFunctions [as current] (/Users/<redacted>/.config/raycast/extensions/aws/lambda.js:86790:37) {
  tryNextLink: false,
  '$metadata': { attempts: 1, totalRetryDelay: 0 }
}
10:45:02.805
CredentialsProviderError: Profile <redacted> could not be found or parsed in shared credentials file.

resolveProfileData:resolveProfileData.js:26:10

---
23:     if ((0, resolveSsoCredentials_1.isSsoProfile)(data)) {
24:         return (0, resolveSsoCredentials_1.resolveSsoCredentials)(data);
25:     }
26:     throw new property_provider_1.CredentialsProviderError(`Profile ${profileName} could not be found or parsed in shared credentials file.`);
27: };
28: exports.resolveProfileData = resolveProfileData;
29:
---

resolveAssumeRoleCredentials:lambda.js:30499:96
resolveProfileData:lambda.js:41128:80
lambda.js:41155:58

[JonathanWbn]

@themanontv Okay, thank you. Have you installed aws-vault with homebrew?

[themanontv]

@JonathanWbn It is installed via homebrew, I thought it could be because I was using an older version of aws-vault but i've upgraded now and i'm getting the same issue :/

[themanontv]

Did this MR get working in the end?

[JonathanWbn]

It is working for me, so I think it's fair to say that there is some AWS Vault support now. I don't know why it isn't working for you. If you can investigate your problem a big to gather more information about the issue, I'd be glad to take another look.

[themanontv]

I'll take a look again, thanks @JonathanWbn for the effort on this one!

[themanontv]

@JonathanWbn I've installed the latest update and I'm still having issues with this feature I just end up with a padlock with a cross through it on all my profiles.

What's most confusing about this is that I have an active session open as you have mentioned about this feature.

The profile sandbox doesn't have an active session marked against it but, it relies on the one with the session. I'm assuming a role using that profile.

Is there something extra I need to do to get this working?

[JonathanWbn]

@themanontv This looks promising, it's at least working half-way. I think I know what is missing and have opened a PR for it: https://github.com/raycast/extensions/pull/6220

[themanontv]

Thanks @JonathanWbn for the help. Can't wait to get this working on my machine!

[themanontv]

So @JonathanWbn it does appear we are making progress with this but, we're not quite there unfortunately. When I use the AWS plugin now I get an unlocked padlock for my main profile this is definitely better than before! I even get a permission denied error for lambda functions (which is expected behaviour for that profile as it's a profile with no real permissions in the account it's in.

The way my work typically operates is by assuming roles in other accounts and it's these other accounts that are facing the issue now.

When I check my aws-vault list command I get a similar output and it seems that the plugin is only looking at the source profile and not assuming a role say sandbox as an example using that source profile even though it's told to in the aws config.

but, if I use aws-vault directly then I can use these profiles from aws-vault fine.

below is an example of my aws config file

[profile source]
region=eu-west-2
mfa_serial=<redacted>
credential_process = aws-vault --prompt=osascript export --format=json source

[profile sandbox]
region=eu-west-2
role_arn=<redacted>
source_profile=source
mfa_serial=<redacted>
credential_process = aws-vault --prompt=osascript export --format=json source

[JonathanWbn]

@themanontv Now that makes sense 👍 I think I'm finally solving your use case with this then: https://github.com/raycast/extensions/pull/6281

[themanontv]

@JonathanWbn Thanks for your patience with this problem, hopefully (fingers crossed) that solves it! Apologies for the pestering over the months...

[themanontv]

Just checked this now and it works! Thanks for the effort on this one!🎉

[themanontv]

One comment I would leave for maybe some future consideration is that when using this, people need to have the region specified in their config otherwise this won't work.