aws-vault rotate dev
Key has been rotated
aws-vault: error: rotate: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: fc876515-4306-4dbd-835d-af2750f87ea7
2020/02/28 13:11:24 aws-vault v5.3.2
2020/02/28 13:11:24 [keyring] Considering backends: [keychain pass file]
2020/02/28 13:11:24 Loading config file /Users/karun/.aws/config
2020/02/28 13:11:24 Parsing config file /Users/karun/.aws/config
2020/02/28 13:11:24 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/28 13:11:24 [keyring] Found 6 results
Rotating credentials stored for profile 'dev' using a session from profile 'dev' (takes 10-20 seconds)
2020/02/28 13:11:24 Looking up keyring for 'dev'
2020/02/28 13:11:24 [keyring] Querying keychain for service="aws-vault", account="dev", keychain="aws-vault.keychain"
2020/02/28 13:11:24 [keyring] Found item "aws-vault (dev)"
2020/02/28 13:11:24 Rotating access key ****************BRHH
Creating a new access key
2020/02/28 13:11:24 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/28 13:11:24 [keyring] Found 6 results
2020/02/28 13:11:24 profile dev: using stored credentials
2020/02/28 13:11:24 profile dev: using GetSessionToken
2020/02/28 13:11:24 Looking up keyring for 'dev'
2020/02/28 13:11:24 [keyring] Querying keychain for service="aws-vault", account="dev", keychain="aws-vault.keychain"
2020/02/28 13:11:24 [keyring] Found item "aws-vault (dev)"
2020/02/28 13:11:25 Generated credentials ****************B2KB using GetSessionToken, expires in 59m58.781348s
aws-vault: error: rotate: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: fc876515-4306-4dbd-835d-af2750f87ea7
[profile production]
region=eu-west-1
[profile dev]
region=eu-west-1
[default]
region=eu-west-1
s3=
max_concurrent_requests = 50
@anaynayak ran this command on v4.5.1 and it worked fine for him. Once he upgraded it v5.3.2, the command stopped working. This bug seems like a regression.
+1
In 5.3.2 it only works with -n (aws-vault rotate -n <profile>), but in 4.5.1 it worked without.
Looking at the debug log more closely, in 4.5.1 it said
Skipping session token and using master credentials directly
while in 5.3.2 it tries to use a session. In my case I think it's failing because I'm not passing MFA.
Just tried this out with 5.3.2 and it works fine with -n. Both @anaynayak and I have MFA setup on our accounts.
@mtibben Why has this issue been closed? aws-vault rotate <profile> simply does not work without --no-session.
@razorsedge IAM operations with temporary credentials require MFA if you have it enabled on your user. This means you need to set up MFA for aws-vault, as explained in the docs, or use --no-session and perform the rotation with your long-lived credentials.
This issue was opened because rotate used to have an implied --no-session, it was then removed (correctly, IMO) and now it must be explicitly specified. I see no bug.
The "bug" as I see it, is in the lack of documentation on rotate. How is one supposed to learn that --no-session is the solution when presented with the cryptic "Actual response" output above? That is poor UX. The only documentation is this issue #536.
I also do not see a requirement of MFA in the docs for rotate. I get this exact error rotating an account with MFA and a different account without MFA available.
@mpitt's explanation is clear and makes sense to me. I, much like @razorsedge, wish that running aws-vault rotate --help would explain why I need to use --no-session for my MFA enabled AWS accounts.
I get this exact error rotating an account with MFA and a different account without MFA available.
This is definitely worth looking into as well.
I'm happy to rewrite this to a ticket requesting rewrite of the documentation if someone can help open this again.
Most helpful comment
Just tried this out with 5.3.2 and it works fine with
-n. Both @anaynayak and I have MFA setup on our accounts.