search

ruimarinho / gsts

Obtain and store AWS STS credentials to interact with Amazon services by authenticating via G Suite SAML.
MIT License
219 stars 38 forks source link

gsts v5.0.0 ignores `--aws-profile` argument and always uses `default` #83

Closed sherif-fanous closed 1 year ago

sherif-fanous commented 1 year ago

I upgraded to gsts v5.0.0 yesterday and have run into an issue where gsts ignores the command line argument --aws-profile.

Looking at the if/else block here it seems that there is a bug where the else block is always executed unless --aws-profile is not passed and AWS_PROFILE is set.

As a result, gsts attempts to use default for all my profiles. The first time I use gsts with a profile it creates an entry in the cache under AWS profile default. If I then use gsts with a different profile, I run into the following error

⚠ Found profile "default" credentials for a different role ARN (found "arn:aws:iam::XXX:role/YYY" != received "arn:aws:iam::AAA:role/BBB").
✖ RoleMismatchError: Received role arn:aws:iam::AAA:role/BBB but expected arn:aws:iam::XXX:role/YYY
    at CredentialsManager.loadCredentials (file:///opt/homebrew/Cellar/gsts/5.0.0/libexec/lib/node_modules/gsts/credentials-manager.js:172:13)
    at async file:///opt/homebrew/Cellar/gsts/5.0.0/libexec/lib/node_modules/gsts/index.js:108:21 {
  receivedRole: 'arn:aws:iam::AAA:role/BBB',
  expectedRole: 'arn:aws:iam::XXX:role/YYY'
}

Current workaround is to use --no-credentials-cache but that's not sustainable in the long term.

Sample credentials_process command in my ~/.aws/config file

gsts --aws-profile PPP --aws-region us-east-1 --aws-role-arn arn:aws:iam::XXX:role/YYY --playwright-engine-executable-path "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --json --idp-id AAA --no-credentials-cache --sp-id BBB --username CCC

I believe the following is the required fix

// If defined, `$AWS_PROFILE` overrides the behavior of using the profile named [default] in
// the `aws` cli configuration file. You can override this environment variable by using the
// `--aws-profile` command line parameter.
if (!argv.awsProfile && !env.AWS_PROFILE) {
  argv.awsProfile = argv['aws-profile'] = 'default'
} else if (!argv.awsProfile) {
  argv.awsProfile = argv['aws-profile'] = env.AWS_PROFILE
}
bebosudo commented 1 year ago

I ended up creating a script at ~/.local/bin/awscreds containing the correct gsts command including the AWS_PROFILE env variable (and --cache-dir ~/.aws), then I use that script in ~/.aws/config in the credentials_process of the main account we use to authenticate, so now credentials are saved with the correct profile, and I can just type whatever aws cli or kubectl command I need.

ruimarinho commented 1 year ago

Thanks for the detailed report @sherif-fanous! Should be fixed on v5.0.1. Could you give it a try please?