Aws-vault: Unable to use `--no-session` to avoid role-chaining on v5.1.0

Created on 8 Jan 2020  路  5Comments  路  Source: 99designs/aws-vault

Hi all,

My goal is to directly assume a role to avoid role chaining in certain circumstances where I need a longer-lived session. I was able to achieve this with v4.x.x but am having trouble doing the same thing on v5.1.0.

My redacted config:

[profile hub]
region=us-west-2
mfa_serial=arn:aws:iam::<hub>:mfa/<me>

[profile spoke]
source_profile=hub
region=us-west-2
role_arn=arn:aws:iam::<spoke>:role/<me>
mfa_serial=arn:aws:iam::<hub>:mfa/<me>

Prior to v5.x.x, I was able to do the following:

$ aws-vault exec -n --assume-role-ttl=8h spoke -- aws s3 ls

Now, I try to do the following:

$ aws-vault --debug exec -d 8h -n spoke -- aws s3 ls

and receive the following output:

$ aws-vault --debug exec -d 8h -n spoke -- aws s3 ls
2020/01/08 10:05:37 [keyring] Considering backends: [pass]
2020/01/08 10:05:37 Loading config file /home/<me>/.aws/config
2020/01/08 10:05:37 Parsing config file /home/<me>/.aws/config
2020/01/08 10:05:37 Looking up keyring for 'spoke'
aws-vault: error: exec: Failed to get credentials for spoke: The specified item could not be found in the keyring

this appears to occur regardless of my use of -d. I've also tried this with parent_profile=hub in the spoke profile, but identical debug output and an error message is produced.

Most helpful comment

@mtibben My goal was just to use aws-vault to assume the spoke role directly to avoid role chaining (and 1h TTL) which I was doing in v4.x.x, is that no longer possible?

The use case I'm talking about is documented here under bullet point 1.

All 5 comments

You'll need to aws-vault exec -n hub in this case, you don't have any stored credentials under spoke

@mtibben My goal was just to use aws-vault to assume the spoke role directly to avoid role chaining (and 1h TTL) which I was doing in v4.x.x, is that no longer possible?

The use case I'm talking about is documented here under bullet point 1.

Same problem here, in the described scenario I don't want to exec into the hub account I want to use the hub credentials to assume the spoke role without any session.

Another problem: --no-session flag is no longer supported for the login command. How should I login without a session now to ignore the 1h session limit for assumed roles?

We too were using role assumption without a session in v4 to support developer role sessions >1h and have been unable to determine a workaround in v5.

Yes this seems surprising to me --

I can still use role-chaining for aws-vault with aws-vault exec PROFILE --no-sessions -- bash to have long running privileged shells.

I'd love to bring back support for aws-vault login --no-sessions PROFILE as I use that every day to open a console that stays logged in for more than ~15 minutes~ 1 hour. I don't want to have login that many times a day...

If this was intentional I can fork and patch, but if this was a bug I'm happy to stay on 4.x and wait.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kevinburke picture kevinburke  路  5Comments

shivaman picture shivaman  路  6Comments

prelegalwonder picture prelegalwonder  路  5Comments

ifunky picture ifunky  路  4Comments

afedulov picture afedulov  路  3Comments