search

smallstep / step-kms-plugin

🔐 step plugin to manage keys and certificates on a cloud KMSs and HSMs
Apache License 2.0
46 stars 5 forks source link

[Bug]: AWS SSO via `credential_process` not supported #130

Closed gclawes closed 7 months ago

gclawes commented 7 months ago

Steps to Reproduce

  1. Configure AWS profile with credential_process (using a tool like Granted

    $ cat ~/.aws/config
[profile My-Account/SuperUser]
granted_sso_start_url      = https://example.awsapps.com/start/
granted_sso_region         = us-east-1
granted_sso_account_id     = 112233445566
granted_sso_role_name      = SuperUser
common_fate_generated_from = aws-sso
credential_process         = granted credential-process --profile My-Account/SuperUser

  2. Attempt an operation with a step* binary using AWSKMS:

step-kms-plugin:

$ step kms create --json --kms 'awskms:region=us-east-1' step-ca-test
Error: failed to create key: awskms CreateKeyWithContext failed: NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors
exit status 1

step certificate create (pre-created KMS key):

$ step certificate create --profile root-ca \
   --kms 'awskms:region=us-east-1' \
   --key 'awskms:key-id=1234567-abcd-1234-dcba-1234567890' \
   "Smallstep Root CA" root_ca.crt

failed to get public key: command "/Users/gralaw/bin/step-kms-plugin key --kms awskms:region=us-east-1 awskms:key-id=f60e6f04-ea3f-4984-b4e6-c2f3f7279d12" failed with:
Error: open awskms:key-id=f60e6f04-ea3f-4984-b4e6-c2f3f7279d12: awskms GetPublicKeyWithContext failed: NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors
  1. WORKAROUND: manually export STS session credentials from credential_process: 
    
$ granted credential-process --profile My-Account/SuperUser
{"Version":1,"AccessKeyId":"AKIAIOSFODNN7EXAMPLE","SecretAccessKey":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY","SessionToken":"AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE","Expiration":"2024-01-12T04:57:27-05:00"}

$ export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" $ export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" $ export AWS_SESSION_TOKEN="AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE"

$ step kms create --json --kms 'awskms:region=us-east-1' step-ca-test { "name": "awskms:key-id=1234567-abcd-1234-dcba-1234567890", "publicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3b1V3/ikBR/pmFI7xFJ4pEKGwS+rpOw7//pveoHgx/FVwuAaOaVcw/PlThZb7/jircsnrugsr7wpjolyVAUHsw==\n-----END PUBLIC KEY-----\n" }


**NOTE**: Examples are derived from actual command runs, but all values/IDs replaced with example values for security. 

### Your Environment

* OS - macOS Sonoma 14.1.2 (23B92)
* Version:

$ step --version Smallstep CLI/0.25.1 (darwin/arm64) Release Date: 2023-11-29 09:17 UTC

$ step-kms-plugin version 🔐 step-kms-plugin/0.9.2 (darwin/arm64) Release Date: 2023-11-10T22:20:48Z



### Expected Behavior

Step should support AWS SSO credentials configured by `credential_process` in addition to the normal AWS SSO workflow (`aws sso login`).

### Actual Behavior

See reproduction for full details.  AWS Go SDK returns `NoCredentialProviders` error.

### Additional Context

AWS Go SDK v2 supports this via: https://docs.aws.amazon.com/sdk-for-go/api/aws/credentials/processcreds/

### Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
hslatman commented 7 months ago

Hey @gclawes, sounds like we need to update to AWS v2 first (unless there's a way to make this work with v1 too)? I've opened an issue to track that: https://github.com/smallstep/crypto/issues/405.

gclawes commented 7 months ago

Ahh, didn't catch that it's still on v1, my bad. Thanks for looking into this!

gclawes commented 7 months ago

It looks like it may still be possible in v1: https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html

SDK for Go 1.x (V1) | Yes | To use shared config file settings, you must turn on loading from the config file; see Sessions.

https://docs.aws.amazon.com/sdk-for-go/api/aws/session/

maraino commented 7 months ago

Hi, @gclawes, I moved the issue to the step-km-plugin so it can be fixed with a new version of crypto once https://github.com/smallstep/crypto/pull/408 gets merged and tagged.

maraino commented 7 months ago

This issue is now fixed in the main branch.

Note that if you have more than one profile in ~/.aws/config you will need to select the right one like this `step kms create --json 'awskms:profile=foo;name=my-key'

gclawes commented 7 months ago

@maraino tools like Granted set the AWS_PROFILE environment variable, will that work as an alternative to 'awskms:profile=foo;...?

maraino commented 7 months ago

@maraino tools like Granted set the AWS_PROFILE environment variable, will that work as an alternative to 'awskms:profile=foo;...?

Yes, that works.