aws-vault
aws-vault copied to clipboard
99designs
pass otp prompt method does not respect config options
- [x] I am using the latest release of AWS Vault
- [x] I have provided my
.aws/config(redacted if necessary) - [x] I have provided the debug output using
aws-vault --debug(redacted if necessary)
None of the pass specific options are respected by the otp prompt code. If I were to attempt to fix it myself I'd likely end up duplicating the code from https://github.com/99designs/keyring/blob/master/pass.go.
The .aws/config:
[profile test]
region=eu-west-1
mfa_serial = arn:aws:iam::123456789:mfa/testuser
An example with debug output:
$ aws-vault --pass-dir=~/.pass/awsvault/ --debug exec test
2020/10/28 09:22:28 aws-vault v6.2.0
2020/10/28 09:22:28 Loading config file /home/testuser/.aws/config
2020/10/28 09:22:28 Parsing config file /home/testuser/.aws/config
2020/10/28 09:22:28 [keyring] Considering backends: [pass]
aws-vault: error: exec: Error getting temporary credentials: profile test: credentials missing
The contents of the alternate pass-dir:
$ PASSWORD_STORE_DIR=~/.pass/awsvault pass ls
Password Store
├── arn:aws:iam::123456789:mfa
│ └── testuser
└── test
If I explicitly set PASSWORD_STORE_DIR myself it will work, though it's undesirable to keep that variable on the environment:
$ PASSWORD_STORE_DIR=~/.pass/awsvault aws-vault --debug exec test -- aws eks list-clusters
2020/10/28 09:34:11 aws-vault v6.2.0
2020/10/28 09:34:11 Loading config file /home/testuser/.aws/config
2020/10/28 09:34:11 Parsing config file /home/testuser/.aws/config
2020/10/28 09:34:11 [keyring] Considering backends: [pass]
2020/10/28 09:34:11 profile test: using stored credentials
2020/10/28 09:34:11 profile test: using GetSessionToken (with MFA)
2020/10/28 09:34:11 Fetching MFA code using `pass otp arn:aws:iam::123456789:mfa/testuser`
2020/10/28 09:34:13 Using STS endpoint https://sts.amazonaws.com
2020/10/28 09:34:13 Looking up keyring for 'test'
2020/10/28 09:34:14 Generated credentials ******************** using GetSessionToken, expires in 59m59.704781359s
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
The original debug output reported above is slightly incorrect, here's the current error output:
$ aws-vault --pass-dir=/home/benbrown/.pass/awsvault/ --debug exec test
2021/06/09 12:28:58 aws-vault v6.3.1
2021/06/09 12:28:58 Loading config file /home/benbrown/.aws/config
2021/06/09 12:28:58 Parsing config file /home/benbrown/.aws/config
2021/06/09 12:28:58 [keyring] Considering backends: [pass]
2021/06/09 12:28:58 profile test: using stored credentials
2021/06/09 12:28:58 profile test: using GetSessionToken (with MFA)
2021/06/09 12:28:58 Fetching MFA code using `pass otp arn:aws:iam::123456789:mfa/testuser`
arn:aws:iam::123456789:mfa/testuser: passfile not found.
aws-vault: error: exec: Failed to get credentials for test: pass: exit status 1
I'm seeing this issue as well. Specifically, the AWS_VAULT_PASS_PASSWORD_STORE_DIR is accepted as an argument or environment variable (https://github.com/99designs/aws-vault/blob/master/cli/global.go#L106-L108) but not used by the pass prompt driver (https://github.com/99designs/aws-vault/blob/master/prompt/passotp.go).
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.