velopack
Ability to use AWS SSO profiles with vpk download and vpk upload
When using vpk download s3 and vpk upload s3 it is not possible to utilize the currently logged in aws sso account. We try to use aws sso locally so that we don't have to rotate access keys regularly.
Describe the solution you'd like
An added --profile option to vpk download s3 and vpk upload s3 that would operate the same way the aws cli does. When provided it would try to use the aws sso profile provided instead of expecting an access key.
I am happy to help with a PR, I would implement it similar to how is suggested here: https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/sso.html#sso-generate-use-token-overview.
For anyone looking for a workaround now this is what we currently do in msbuild, the same cli commands could be used elsewhere though:
<Exec Command="aws configure export-credentials --profile PROFILE_NAME | jq -r .AccessKeyId" ConsoleToMsBuild="true">
<Output TaskParameter="ConsoleOutput" PropertyName="AWSKeyId" />
</Exec>
<Exec Command="aws configure export-credentials --profile PROFILE_NAME | jq -r .SecretAccessKey" ConsoleToMsBuild="true">
<Output TaskParameter="ConsoleOutput" PropertyName="AWSSecretKey" />
</Exec>
<Exec Command="aws configure export-credentials --profile PROFILE_NAME | jq -r .SessionToken" ConsoleToMsBuild="true">
<Output TaskParameter="ConsoleOutput" PropertyName="AWSSessionToken" />
</Exec>
<Exec Command="vpk download s3 --region us-east-2 --bucket BUCKET_NAME --keyId $(AWSKeyId) --secret $(AWSSecretKey) --session $(AWSSessionToken)"/>
My understanding is that this is already possible? If --session is specified do you still need to provide a secret?
Also, if you do not provide an access key/secret, it will use the AWS sdk default authentication (which will discover locally saved credentials eg. if logged in with the aws cli)
Hi @caesay thanks for the response. Unfortunately this does not seem to work with sso profiles. Here are a few tests I did after logging into aws cli via aws sso login --profile PROFILE_NAME. Note: I do not have a default profile setup but I have tested all of this with a default sso profile as well with the same results.
The documentation here https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/sso.html seems to suggest that in the aws .net sdk there are additional steps required to use sso profile credentials.
Test 1: No credentials passed (FAIL)
vpk download s3 --region REGION --bucket BUCKET_NAME
Result
5> [09:59:53 INF] Velopack CLI 0.0.594, for distributing applications.
5> [09:59:53 INF] Fetching releases for channel win...
5> [09:59:53 INF] Downloading releases.win.json...
5> [10:00:25 ERR] Unable to get IAM security credentials from EC2 Instance Metadata Service., retrying in 1 second.
5> [10:00:26 INF] (retry 1) Downloading releases.win.json...
Test 2: Only session and keyid passed (FAIL)
vpk download s3 --region REGION --bucket BUCKET_NAME --keyId AWS_ACCESS_KEY_ID --session AWS_SESSION_TOKEN
Result
5> | [09:55:14 ERR] Value cannot be null. (Parameter 'awsSecretAccesskey'), will not try again.
-- | --
5> | [09:55:14 FTL] Value cannot be null. (Parameter 'awsSecretAccessKey')
5> | System.ArgumentNullException: Value cannot be null. (Parameter 'awsSecretAccessKey')
5> | at Amazon. Runtime.SessionAWSCredentials..ctor(String awsAccessKeyId, String awsSecretAccesskey, String token)
5> | at Amazon.Runtime.AmazonServiceClient..ctor(String awsAccessKeyId, String awsSecretAccessKey, String awsSessionToken, ClientConfig config)
5> | at Amazon. S3.AmazonS3Client..ctor(String awsAccessKeyId, String awsSecretAccesskey, String awsSessionToken, AmazonSConfig clientConfig)
5> | at Velopack.Deployment.S3Repository.CreateClient(S3DownloadOptions options) in ./vpk/Velopack.Deployment/S3Repository.cs:line 118
5> | at Velopack.Deployment.ObjectRepository 3.GetReleasesAsync(TDown options) in ./vpk/Velopack.Deployment/_ObjectRepository.cs:line 41
5> | at Velopack.Deployment.DownRepository 1.RetryAsyncRet[T](Func1 block, String message, Int32 maxRetries) in ./vpk/Velopack.Deployment/_Repository.cs:line 126
5> | at Velopack.Deployment DownRepository 1.RetryAsyncRet[T](Func^1-block, String message, Int32 maxRetries)
5> | at Velopack.Deployment.DownRepository 1.DownloadLatestFullPackageAsync(TDown options) in ./vpk/Velopack.Deployment/_Repository.cs:line 68
5> | at Velopack.Vpk.ProgramCommandExtensions.<_DisplayClass3_0 2.«Add>b_0>d.MoveNext() in./vpk/Velopack.Vpk/Program.cs:line 259
Test 3: No creds passed but with AWS_PROFILE env variable set (FAIL)
vpk download s3 --region REGION --bucket BUCKET_NAME
Result
5> [10:21:07 INF] Velopack CLI 0.0.594, for distributing applications.
5> [10:21:07 INF] Fetching releases for channel win...
5> [10:21:07 INF] Downloading releases.win.json...
5> [10:21:39 ERR] Unable to get IAM security credentials from EC2 Instance Metadata Service., retrying in 1 second.
5> [10:21:40 INF] (retry 1) Downloading releases.win.json...
Test 4: AccessKeyId and Secret key added as options (FAIL)
vpk download s3 --region REGION --bucket BUCKET_NAME --keyId AWS_ACCESS_KEY_ID --secret AWS_SECRET_KEY
Result
5> [10:24:28 INF] Velopack CLI 0.0.594, for distributing applications.
5> [10:24:28 INF] Fetching releases for channel win...
5> [10:24:28 INF] Downloading releases.win.json...
5> [10:24:28 ERR] The AWS Access Key Id you provided does not exist in our records., retrying in 1 second.
5> [10:24:29 INF] (retry 1) Downloading releases.win.json...
Test 5: All three options set (SUCCESS)
vpk download s3 --region REGION --bucket BUCKET_NAME --keyId AWS_ACCESS_KEY_ID --secret AWS_SECRET_KEY --session AWS_SESSION_TOKEN
Result
5> [10:26:12 INF] Velopack CLI 0.0.594, for distributing applications.
5> [10:26:12 INF] Fetching releases for channel win...
5> [10:26:12 INF] Downloading releases.win.json...
5> [10:26:13 INF] Found 1 release(s) in remote file
Heya, any update on this? If you're not planning on sending a PR I'm going to close this as not planned, since I don't have the setup necessary to test this.