"awsume [profile-name]" command hangs and never responds

[cameronbesse]

I have installed awsume via pip and I have the correct alias in my bash profile. Awsume does correctly list my available AWS profiles with awsume -l, however when I try to use the awsume [profile-name] command to assume a profile, the terminal hangs and there is no response.

(On MacOS Catalina version 10.15.5 (19F101), using iTerm2 build 3.3.12)

[skjutare]

I have the same issue on MacOS Catalina version 10.15.6. It works with User profiles, but for all Role the awsume python process draws about 100% CPU (one core).

[skjutare]

❯ awsume role-profile --debug
[2020-08-19 16:53:11,484] main.py:main : [DEBUG] Debug logs are visible
[2020-08-19 16:53:11,484] main.py:main : [DEBUG] Executing awsume
[2020-08-19 16:53:11,484] app.py:__init__ : [DEBUG] Initalizing app
[2020-08-19 16:53:11,484] app.py:get_plugin_manager : [DEBUG] Creating plugin manager
[2020-08-19 16:53:11,485] app.py:get_plugin_manager : [DEBUG] Loading plugins
[2020-08-19 16:53:11,495] app.py:parse_args : [DEBUG] Gathering arguments
[2020-08-19 16:53:11,495] default_plugins.py:add_arguments : [INFO] Adding arguments
[2020-08-19 16:53:11,496] app.py:parse_args : [DEBUG] Parsing arguments
[2020-08-19 16:53:11,496] app.py:parse_args : [DEBUG] Handling arguments
[2020-08-19 16:53:11,496] default_plugins.py:post_add_arguments : [DEBUG] Post add arguments
[2020-08-19 16:53:11,496] default_plugins.py:post_add_arguments : [DEBUG] {"version": false, "output_profile": null, "clean": false, "profile_name": "role-profile", "force_refresh": false, "show_commands": false, "unset_variables": false, "auto_refresh": false, "kill": false, "list_profiles": null, "refresh_autocomplete": false, "role_arn": null, "principal_arn": null, "source_profile": null, "external_id": null, "mfa_token": null, "region": null, "session_name": null, "role_duration": null, "with_saml": false, "with_web_identity": false, "json": null, "credentials_file": null, "config_file": null, "config": null, "list_plugins": false, "info": false, "debug": true, "console": false, "console_link": false, "console_service": false, "console_link_service": false, "rotate_access_keys": false, "force_rotate_access_keys": false}
[2020-08-19 16:53:11,496] app.py:get_profiles : [DEBUG] Gathering profiles
[2020-08-19 16:53:11,497] default_plugins.py:collect_aws_profiles : [INFO] Collecting AWS profiles
[2020-08-19 16:53:11,499] default_plugins.py:collect_aws_profiles : [DEBUG] Collected 10 profiles
[2020-08-19 16:53:11,499] default_plugins.py:post_collect_aws_profiles : [INFO] Post collect AWS profiles
[2020-08-19 16:53:11,499] app.py:get_credentials : [DEBUG] Getting credentials
[2020-08-19 16:53:11,499] app.py:get_credentials : [DEBUG] Pulling credentials from default awsume flow

After this it hangs for ever...

[skjutare]

I figured it out.

You can't have a profile in .aws/config that have the same name as a credentials in ./aws/credentials if it has a source_profile with the same name...

added an suffix to the user accounts config solved the issue.

So the bug is in how awsume tries to resolve infinity roles. Support added in "Adds support for infinite role-chaining" on line 235 of app.py PR

[mbarneyjr]

Hi! Thanks for opening this issue, sorry about the delay!

The source_profile property is used when you're defining a role profile. The source_profile property points to which profile you want to use to assume the configured role. Commonly it's an IAM user assuming a role, like this:

# ~/.aws/credentials
[myuser]
aws_access_key_id = ...
aws_secret_access_key = ...

# ~/.aws/config
[profile myuser]
region = ...

[profile myrole]
role_arn = ...
source_profile = ...
region = ...

Awsume should raise an error if the source_profile property of a profile is pointing to itself, this has been noted and we'll work on resolving that issue.

@cameronbesse Just to confirm, was @skjutare's solution solve your problem?

[cameronbesse]

@cameronbesse Just to confirm, was @skjutare's solution solve your problem?

@mbarneyjr Yes, I had the same issue in my credentials file.

[mbarneyjr]

Hmm, I seem to be having trouble replicating the issue. Correct me if I'm misunderstanding your setup, but if I create the following profile configuration:

#~/.aws/credentials
[test]
aws_access_key_id = ...
aws_secret_access_key = ...

#~/.aws/config
[profile test]
source_profile = test

I correctly get the following error:

$ awsume test
Awsume error: Invalid profile [test] cannot have circular role-chains

If you're able to replicate the error, could you show your profile setup (redacting any secrets and account IDs, of course)? Thank you!

[skjutare]

With a similar setup to this I can get it to hang

#~/.aws/credentials
[test]
aws_access_key_id = ...
aws_secret_access_key = ...

#~/.aws/config
[profile test]
source_profile = test

[profile test-role]
source_profile = test
role_arn=...

while calling awsume test-role

[mbarneyjr]

Great, that was what I needed to find the bug, thanks! It should be fixed in pre release 4.5.0a2

[mbarneyjr]

Sorry for the delay, this has been deployed to 4.5.0