aws-vault icon indicating copy to clipboard operation
aws-vault copied to clipboard
verified publisher icon 99designs

Unable to decrypt credentials file when using pass backend

Open doolio opened this issue 2 years ago • 4 comments

  • [X] I am using the latest release of AWS Vault

Yes, v7.2.0 installed via asdf.

$ aws-vault --version
v7.2.0
  • [X] I have provided my ~~.aws/config (redacted if necessary)~~ AWS_CONFIG_FILE="${XDG_CONFIG_HOME}/aws/config" 
[default]
region = us-east-1
output = json

[profile iamadmin-saa-mgmt]

[profile iamadmin-saa-prod]

I also have the following environment variables set:

AWS_VAULT_BACKEND="pass"
AWS_VAULT_PASS_PREFIX="aws-vault"  # set because I already have an existing password-store

My profile credentials are stored in

~/.password-store/aws-vault/iamadmin-saa-mgmt
~/.password-store/aws-vault/iamadmin-saa-prod

$ aws-vault list
Profile                  Credentials              Sessions                 
=======                  ===========              ========                 
default                  -                        -                        
iamadmin-saa-mgmt        iamadmin-saa-mgmt        -                        
iamadmin-saa-prod        iamadmin-saa-prod        -
  • [X] I have provided the debug output using aws-vault --debug ~~(redacted if necessary)~~

image

I checked #686 and I already had $GPG_TTY=$(tty) set and exported so not the same issue. Now my primary GPG key is stored in a Trezor model-T and am prompted on it when I need to decrypt a file in my password-store. This works well when not using aws-vault because my password-store was initialised with my TREZOR-based GPG identity.

However, you can see from the aws-vault command output above it is not working when aws-vault is in the loop. What is the significance of the --prompt flag? I understand from #1185 one use to be able to set this to "pass". Could the removal of this option be why I don't get prompted on my hardware based token.

I don't think the mfa_process option will work as I'm not using pass to generate an otp. I have MFA access set up on my two profiles and am using a software based MFA device. If I include the mfa_serial identifier in my profile I get prompted to enter the otp but it still doesn't work.

Any ideas? Thanks for your time.

doolio avatar Nov 17 '23 15:11 doolio

Same for me, i get below error

gpg: XXXXXXXXXXXXXXXXXXXXXXXXX: skipped: No public ke gpg: [stdin]: encryption failed: No public key Password encryption aborted. aws-vault: error: exec: Failed to get credentials for dil-icompass-dev: exit status 1

dil-mezzy avatar Nov 20 '23 14:11 dil-mezzy

Despite what I stated above I think this is some how related to #686. I think aws-vault creates a subshell (for some or all of its subcommands?) where for whatever reason the setting of GPG_TTY is not inherited and so returns "not a tty".

doolio avatar Nov 20 '23 15:11 doolio

changed AWS_VAULT_BACKEND=pass to AWS_VAULT_BACKEND=file and it worked.

Command =

export AWS_VAULT_BACKEND=file export GPG_TTY="$( tty )"

dil-mezzy avatar Nov 24 '23 17:11 dil-mezzy

changed AWS_VAULT_BACKEND=pass to AWS_VAULT_BACKEND=file and it worked.

image

Not for me, but I'm no surprised. How is this then using pass as the backend?

doolio avatar Nov 24 '23 17:11 doolio

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] avatar May 23 '24 10:05 github-actions[bot]