awsume -a unsets AWS_PROFILE but never sets it

[joelgrimberg]

When I use awsume -a , it unsets the AWS_PROFILE env. variable. it never sets it, so I have to do this by hand. is this an issue (or is it me) ?

[mbarneyjr]

Hi @joelgrimberg ,

Assuming you're running on a *nix-like OS, I'd first make sure that the alias is set. You can check this by running the alias command in the terminal and searching for the alias that should look like this:

alias awsume=". awsume"

Awsume tries to put define this alias in your bash login file like ~/.bash_profile or ~/.bashrc, but sometimes some things can go wrong and it can't write the alias, so make sure it's defined in a file that gets executed when you start your terminal

[joelgrimberg]

yes, this alias is set and works except setting the AWS_PROFILE env var.

I need the AWS_PROFILE to be set because my OH My ZSH plugin uses that env variable to show my active AWS PROFILE in my CLI.

[mbarneyjr]

When using the -a flag, awsume should be setting the AWS_PROFILE and AWS_DEFAULT_PROFILE environment variables to the automatically-generated "auto-refresh" profile. This way the awscli/scripts/etc will use the credentials autoawsume loads into that profile.

So what you're experiencing is that environment variable not being set at all, but instead being deleted/unset?

What environment are you running awsume in? Awsume version? OS? Shell (I assume zsh?) Anything else is helpful for debugging the problem.

_Also note that awsume should set the AWSUME_PROFILE environment variable, which is ideal for shell/terminal prompts, since (when using autoawsume) the AWS_PROFILE would be auto-refresh-<profile_name>, and AWSUME_PROFILE would just be <profile_name>_

[joelgrimberg]

this is what I do: setting my AWS_PROFILE: export AWS_PROFILE=xyz

showing my AWS_PROFILE: ENV | grep AWS -> shows AWS_PROFILE=xyz

Awsuming to another account: awsume -a <account>

• will result in a AWSUME_PROFILE= in the ENV
• will result in the unsetting of AWS_PROFILE in the ENV

---

awsume version 3.2.8 (edit: upgraded to 3.29. did not fix my issue) ZSH MacOS

[mbarneyjr]

I'm struggling to replicate the issue. Here's the commands I tried to run to do what you were doing:

➜  ~ awsume -v     
3.2.9
➜  ~ ENV | grep AWS
➜  ~ export AWS_PROFILE=profile1
➜  ~ ENV | grep AWS             
AWS_PROFILE=profile1
➜  ~ awsume -a profile2
AWSume: User profile credentials will expire at: 2019-08-12 00:07:11
AWSume: Role profile credentials will expire at: 2019-08-11 13:17:40
[3] 1679
➜  ~ ENV | grep AWS    
AWS_PROFILE=auto-refresh-profile2
AWS_DEFAULT_PROFILE=auto-refresh-profile2
AWS_REGION=us-east-1
AWS_DEFAULT_REGION=us-east-1
AWSUME_PROFILE=profile2
➜  ~ 

And this is all expected.

Is the AWS_DEFAULT_PROFILE being unset too (if you were to set it before the awsume -a call)?

Since this is an issue with the environment variables, the shell wrapper might tell us something, so if you run awsumepy -a <profile_name> (note to run awsumepy not awsume), is the very first string that is displayed Auto? Like this:

➜  ~ awsumepy -a profile2   
AWSume: User profile credentials will expire at: 2019-08-12 00:07:11
AWSume: Role profile credentials will expire at: 2019-08-11 13:26:33
Auto auto-refresh-profile2 us-east-1 profile2
➜  ~ 

The string Auto tells the shell wrapper which environment variables to configure. The only places I can see in the shell wrapper that unset AWS_PROFILE but don't set it is when the flag is Awsume, Unset, Kill, Stop. If the first flag is indeed Auto there must be something very strange happening.

[joelgrimberg]

allright. first thing I notice: I do not see these expiration- lines: AWSume: User profile credentials will expire at: 2019-08-12 00:07:11 AWSume: Role profile credentials will expire at: 2019-08-11 13:17:40 so I do not have auto refresh configured I guess

the AWS_DEFAULT_PROFILE is never set (not with awsume -a and not with awsumepy -a)

my awsumepy -a gives me this line: Awsume < some string > < another string > None eu-west-1

[mbarneyjr]

Those expiration lines should be printing whenever you awsume a role, with or without -a, so there's definitely something wrong. Also the fact that the flag (the first string from the awsumepy command) is Awsume when you're passing -a is another sign that something is misconfigured.

How is awsume installed on your machine? Is it installed globally or with --user, or is it installed with something like pipx?

[joelgrimberg]

it is installed globally.

is it a 'thing' that I do not assume a role ? so my config-file looks like this:

[default]
region = eu-west-1
output = json

[profile j_admin]
output = json
region = eu-west-1

[x_admin]
output = json
region = eu-west-1

[x_ict_admin]
output = json
region = eu-west-1 ```

[mbarneyjr]

A role profile is a profile that has a role_arn (the IAM role that the profile will use). It doesn't look like any of your profiles have a role_arn, meaning they are non-role profiles (typically IAM users). Autoawsume is not designed for non-role profiles, it will only work for role profiles.

The idea behind autoawsume is this: You can get a session token for an IAM user for 12 hours. Roles default to a maximum of 1 hour. What autoawsume does is get a session token for the role's source (user) profile which is valid for 12 hours, and every hour (for 12 hours) it will re-assume the role and update the credentials to the new credentials, all in the background so you don't notice. So for that reason, it doesn't make sense to use autoawsume on a non-role profile.

It also appears that there are no mfa_serial options on your profiles, meaning MFA isn't configured for those keys. Since MFA is not necessary, it will not make the get-session-token call, it will simply export the environment variables to the values found in the config/credentials files, which explains why you are not seeing the "User profile credentials valid until ..." message. The access keys are long-term (valid for forever or until they are deleted). And since you're not assuming a role, you aren't getting the "Role profile credentials valid until ..." message

[joelgrimberg]

thanx for the explanation. still some questions here though ;)

if I understand awsume correctly, the following code-block would be used in my (non-roll-assuming) case: (my questions is below the code )

elif [ "$AWSUME_FLAG" = "Awsume" ]; then
    unset AWS_SECRET_ACCESS_KEY
    unset AWS_SESSION_TOKEN
    unset AWS_SECURITY_TOKEN
    unset AWS_ACCESS_KEY_ID
    unset AWS_REGION
    unset AWS_DEFAULT_REGION
    unset AWS_PROFILE
    unset AWS_DEFAULT_PROFILE
    unset AWSUME_PROFILE

    export AWS_ACCESS_KEY_ID=$AWSUME_1
    export AWS_SECRET_ACCESS_KEY=$AWSUME_2

    if [ ! "$AWSUME_3" = "None" ]; then
        export AWS_SESSION_TOKEN=$AWSUME_3
        export AWS_SECURITY_TOKEN=$AWSUME_3
    fi

    if [ ! "$AWSUME_4" = "None" ]; then
        export AWS_REGION=$AWSUME_4
        export AWS_DEFAULT_REGION=$AWSUME_4
    fi

    export AWSUME_PROFILE=$AWSUME_5

    #if enabled, show the exact commands to use in order to assume the role we just assumed
    for AWSUME_var in "$@"
    do
        #show commands
        if [[ "$AWSUME_var" == "-s"* ]]; then
            echo export AWS_ACCESS_KEY_ID=$AWSUME_1
            echo export AWS_SECRET_ACCESS_KEY=$AWSUME_2

            if [ ! "$AWSUME_3" = "None" ]; then
                echo export AWS_SESSION_TOKEN=$AWSUME_3
                echo export AWS_SECURITY_TOKEN=$AWSUME_3
            fi

            if [ ! "$AWSUME_4" = "None" ]; then
                echo export AWS_REGION=$AWSUME_4
                echo export AWS_DEFAULT_REGION=$AWSUME_4
            fi

            echo export AWSUME_PROFILE=$AWSUME_5

        fi
    done

what's the idea of using awsume_profile=$awsume_5 and not aws_profile=$awsume_5 ?

[mbarneyjr]

Awsume works by setting environment variables (AWS_ACCESS_KEY, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN, etc). For simple cases where you only have static access keys, it could just set the AWS_PROFILE variable and that would work fine, but we decided to export the key variables to be more consistent with the rest of the application. Either option is valid, and when you make api calls either will use the same credentials. We use AWSUME_PROFILE for people to use in their bash PS1 prompts (or anything else they want) so they can view the currently awsume'd profile

The only time awsume sets the AWS_PROFILE variable is when you're using autoawsume (with a role profile), since the autoawsume background process wouldn't be able to update your current shell's environment variables when it refreshes the role credentials

[mbarneyjr]

I believe we resolved any misunderstanding, but if you're still having problems feel free to open a new issue or re-open this one!

[Hobart2967]

A role profile is a profile that has a role_arn (the IAM role that the profile will use). It doesn't look like any of your profiles have a role_arn, meaning they are non-role profiles (typically IAM users). Autoawsume is not designed for non-role profiles, it will only work for role profiles.

The idea behind autoawsume is this: You can get a session token for an IAM user for 12 hours. Roles default to a maximum of 1 hour. What autoawsume does is get a session token for the role's source (user) profile which is valid for 12 hours, and every hour (for 12 hours) it will re-assume the role and update the credentials to the new credentials, all in the background so you don't notice. So for that reason, it doesn't make sense to use autoawsume on a non-role profile.

It also appears that there are no mfa_serial options on your profiles, meaning MFA isn't configured for those keys. Since MFA is not necessary, it will not make the get-session-token call, it will simply export the environment variables to the values found in the config/credentials files, which explains why you are not seeing the "User profile credentials valid until ..." message. The access keys are long-term (valid for forever or until they are deleted). And since you're not assuming a role, you aren't getting the "Role profile credentials valid until ..." message

I would love to use awsume for both, as I kind of not see using two tools for logging in. I have profiles that do not require a role_arn, and I've got ones requiring it.