The server part of this tool (--server) is extremely useful when doing local development that requires AWS services. Being able to simulate the metadata service with auto-renewing tokens is a blessing.
Having said this, the experience can be improved just a tad. Currently, the server only works if passed some other command, which requires doing something like
aws-vault exec phenix --server sh
or
aws-vault exec phenix --server node -- -e 'console.log(\"Running\");setTimeout(()=>{},1000*60*60*24*10);'
but even here, there are some very strange behaviors. For ex, if I start this in the morning, it will happily run all day w/o issues. If I forget to turn it off and my laptop goes to sleep overnight, the next day, i have to completely kill the terminal where this is running as stdin gets really messed up, then also kill the aws-vault processes.
It's such a useful feature, but it requires daily tinkering. Why not clean this up a bit and allow it as a standalone feature? Something like
aws-vault server [profile]
that allows clean interrupts and maybe outputs some logs when it's used, or token is renewed?
you dont need to pass commands, as it will run as a daemon
aws-vault --debug exec phenix --server
is all you need. anywhere in your laptop will reach the metadata server.
it is a terrible security risk to keep this long running (like next day). please make sure you terminate your session when you dont need it
as it will run as a daemon
Does it though? It seems to open a new shell, and the server is only working while that shell's process is running. If you exit that shell, the server stops.
that is the current behaviour.
but you can access it from anywhere
Right, that's what this issue was suggesting, improving this feature and making it a bit friendlier, more prominent.. for ex, running --server would just display the output of the server, allowing me to kill it with ctrl-c. In its current state, I have to take extra care not to lose track of this shell and accidentally close it (when you have 10+ tabs in iTerm, this can be an issue)
given that for security reasons you shouldnt be long-running this, if you kill it, should be a problem... just launch it again.
This app shouldn't be prescriptive in how I choose to manage my security. All I'm saying is that the current behavior is very unnatural, for any cli command. Its just weird to run a command which just gives you a new shell, without any indication of what's happening behind the scenes. It's just not good UX, imo.
Hey @astanciu! Thanks for the kind words and feedback, I've encountered the rough edges on --server too, and I wrote it 😀
There is one particular bug https://github.com/99designs/aws-vault/issues/102 which seems to manifest on sleep. Perhaps follow that one for the fixes for needing to kill the long running process.
I'm going to re-open this bug, I think what you've suggested is totally valid. I will say, my belief is that good software IS prescriptive, especially with security. That is why we build aws-vault, because humans are generally bad at the nuance involved in security best-practice. That said, sometimes we get it wrong, and it's important to discuss.
I wrote some notes on the implementation details of --server over in https://github.com/99designs/aws-vault/pull/174#issuecomment-340921440.
It's complicated enough that I forget the hows and whys of it and need to look them up when I work on it, but it's a really robust design from a security perspective (IMO), it's just a kind of lousy experience.
Thanks for the details @lox, very helpful. I submitted a simple PR (#224) that solves at least the issue I described. (not really a go dev here, may not be up to par, but at least illustrates a simple change that improves the UX)
Is this what aws-vault server is meant for?
pda@paulbookpro ~ ❯ aws-vault server --help
usage: aws-vault server
Run an ec2 instance role server locally
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--version Show application version.
--debug Show debugging output
--backend=BACKEND Secret backend to use [keychain file]
--prompt=terminal Prompt driver to use [terminal osascript]
--keychain="aws-vault" Name of macOS keychain to use, if it doesn't exist it will be created
I've never used it, and only get errors from it:
pda@paulbookpro ~ ❯ aws-vault server
aws-vault: error: Server failed: exit status 1
pda@paulbookpro ~ ❯ aws-vault server foo
aws-vault: error: unexpected foo, try --help
Currently aws-vault server is a "hidden" command used by aws-vault exec --server see https://github.com/99designs/aws-vault/pull/174#issuecomment-340921440 for some more details on that split.
I think it would be super sensible to make it a first-class thing though and figure out how to handle the current implementation detail of spinning up a server on the privileged address differently.
Similarly to this, I think the main feature is missing is being able to see the logs of aws-vault server as they go STDOUT of the backgrounded shell.
@pda make sure you use sudo or run it with root privs as it needs to do TCP trickery on your host
sudo aws-vault server
It appears though that it does not start all the services, so you can get some metadata but the /credentials/ endpoint is not able to source the data from the 9099 server.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.