aws-vault using pass doesn't find gpg key

Created on 4 Nov 2020  ยท  5Comments  ยท  Source: 99designs/aws-vault

Version: v6.2.0
Platform: WSL Ubuntu 18.04

Issue: When using the pass backend / cmd, aws-vault is unable to find the correct gpg key. The line in the debug output that is particularly suspect to me is 2020/11/04 12:07:14 Looking up keyring for 'root' as this seems to indicate that its trying to find an ID in gpg that is my aws profile name instead of the ID specified when I did pass init. I don't understand how this could be aws-vault specific, but I know if I run pass manually it works just fine.

If I run pass manually and authenticate gpg, then aws-vault works fine until my gpg agent session times out.

aws config:

[profile root]
region=us-east-1
output=json
credential_process = aws-vault --debug exec root --json --prompt=pass

Env Vars:

AWS_VAULT_BACKEND=pass
AWS_VAULT_PASS_CMD=pass
AWS_VAULT_PASS_PASSWORD_STORE_DIR=/home/myuser/.password-store
AWS_VAULT_PROMPT=pass
AWS_VAULT_PASS_PREFIX=aws-vault
AWS_PROFILE=root

Example:

$> aws s3 ls
Error when retrieving credentials from custom-process: 2020/11/04 12:07:14 aws-vault v6.2.0
2020/11/04 12:07:14 Loading config file /home/myuser/.aws/config
2020/11/04 12:07:14 Parsing config file /home/myuser/.aws/config
2020/11/04 12:07:14 [keyring] Considering backends: [pass]
2020/11/04 12:07:14 Profile 'default' missing in config file
2020/11/04 12:07:14 profile root: using stored credentials
2020/11/04 12:07:14 profile root: using GetSessionToken
gpg: decryption failed: No secret key
2020/11/04 12:07:14 Using STS endpoint https://sts.amazonaws.com
2020/11/04 12:07:14 Looking up keyring for 'root'
gpg: decryption failed: No secret key
aws-vault: error: exec: Failed to get credentials for root: exit status 2

When executing pass manually:

$> pass aws-vault/root

<.. screen refreshes and prompts for gpg pass ..>

                                                                                                          โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                                                                                                          โ”‚ Please enter the passphrase to unlock the OpenPGP secret key:      โ”‚
                                                                                                          โ”‚ "Andrew Replogle (Pass Vault ID) <[email protected]>"  โ”‚
                                                                                                          โ”‚ 3072-bit RSA key, ID C6B0665E7ED16D98,                             โ”‚
                                                                                                          โ”‚ created 2020-11-04 (main key ID F9B90A6EE9EED2DC).                 โ”‚
                                                                                                          โ”‚                                                                    โ”‚
                                                                                                          โ”‚                                                                    โ”‚
                                                                                                          โ”‚ Passphrase: ______________________________________________________ โ”‚
                                                                                                          โ”‚                                                                    โ”‚
                                                                                                          โ”‚          <OK>                                      <Cancel>        โ”‚
                                                                                                          โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

<.. I enter the password and hit ok ..>
{"Key":"root","Data":"eyJBY2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXI6IiJ9","Label":"aws-vault (root)","Description":"","KeychainNotTrustApplication":true,"KeychainNotSynchronizable":false}

Most helpful comment

Found a post that suggested the following:

export GPG_TTY=$(tty)

I don't know why but this resolved my issue. Will submit a PR for USAGE.md to add a note to PASS related usage.

All 5 comments

Found a post that suggested the following:

export GPG_TTY=$(tty)

I don't know why but this resolved my issue. Will submit a PR for USAGE.md to add a note to PASS related usage.

Found a post that suggested the following:

export GPG_TTY=$(tty)

I don't know why but this resolved my issue. Will submit a PR for USAGE.md to add a note to PASS related usage.

had the same issue exactly

export GPG_TTY=$(tty)

With ZSH , I found a post that said to use export GPG_TTY=$TTY instead. So far its working out well for me.

FYI - I tried to submit a PR for updates to the documentation for a workaround but the maintainers aren't interested and I guess would rather just have people struggle with the issue on their own.

https://github.com/99designs/aws-vault/pull/687

Found a post that suggested the following:

export GPG_TTY=$(tty)

I don't know why but this resolved my issue. Will submit a PR for USAGE.md to add a note to PASS related usage.

Had the same Issue, its still there. Thank for the solution post.

Was this page helpful?
0 / 5 - 0 ratings