aws-vault
aws-vault copied to clipboard
99designs
Feature Change `aws-vault exec <PROFILE> -j` from JSON export to Env Variable Format
It would be nice to change the command aws-vault exec <PROFILE> -j from outputting JSON string into a format for WIndows, Linux, and Darwin systems to ingest and use for environmental variables.
Example:
Current format:
{"Version":1,"AccessKeyId":"ASIAYDSYEXAMPLE","SecretAccessKey":"daNFa4syx+jils4cs3itjjCpTJB1EXAMPLE","SessionToken":"EXAMPLE//////wEaDOCAP6Eysb4oL4IIYCKBAWEETkjEXAMPLE2CPvbtkuKcvExample.p8bfBM1s87VmPSUAAHPyf/IeRxilkx+a+g4fzUKHdV45AnpyGU+cXN5OScZkg9bb9FfESU0iUQm4ksAyGL5px0KVX7ANIvkpLNN2l5U8Im/wGQBeC5gyit1PqCBjIo/ww9r8EQjLkXtSkUawcV4eTzIgfAEXAMPLEEXAMPLE","Expiration":"2021-03-27T04:39:45Z"}%
Proposed Format for Linux/Mac:
export AWS_ACCESS_KEY_ID=ASIAYDSYEXAMPLE
export AWS_SECRET_ACCESS_KEY=daNFa4syx+jils4cs3itjjCpTJB1EXAMPLE
export AWS_SESSION_TOKEN=EXAMPLE//////wEaDOCAP6Eysb4oL4IIYCKBAWEETkjEXAMPLE2CPvbtkuKcvlx1+gwuVWlmrjB7tp8bfBM1s87VmPSUAAHPyf/IeRxilkx+a+g4fzUKHdV4EXAMPLEXN5OScZkg9bb9FfESU0iUQm4ksAyGL5px0KVX7ANIvkpLNN2l5U8Im/wGQBeC5gyit1PqCBjIo/ww9r8EQjLkXtSkUawcV4eTzIgfAEXAMPLEEXAMPLE
Expiration: 2021-03-27T04:39:45Z
Proposed Format for Windows:
SET AWS_ACCESS_KEY_ID=ASIAYDSYEXAMPLE
SET AWS_SECRET_ACCESS_KEY=daNFa4syx+jils4cs3itjjCpTJB1EXAMPLE
SET AWS_SESSION_TOKEN=EXAMPLE//////wEXAMPLEOCAP6Eysb4oL4IIYCKBAWEETkjEXAMPLE2CPvbtkuKcvlx1+gwuVWlmrjB7tp8bfBM1s87VmPSUAAHPyf/IeRxilkx+a+g4fzUKHdV45AnpyGU+EXAMPLEb9FfESU0iUQm4ksAyGL5px0KVX7ANIvkpLNN2l5U8Im/wGQBeC5gyit1PqCBjIo/ww9r8EQjLkXtSkUawcV4eTzIgfAEXAMPLEEXAMPLE
Expiration: 2021-03-27T04:39:45Z
I have created a fork with the proposed changes here: aws-vault.
View file cli/exec.go for details.
Hi there, using aws-vault exec without -j already sets environment variables across platforms. One way to peek at them is to use a shell as your target program, like:
# Mac/Linux
$ aws-vault exec my_profile bash
$ env | grep AWS
# Windows
PS C:\> aws-vault exec my_profile powershell
PS C:\> ls env:AWS*
The -j option is more for when you're using aws-vault as an external credentials source in your AWS CLI profile. Hope this info is useful.
That does help. Thanks. However what other credential process uses this JSON format?
I could see a use-case where someone might want to provide those credentials in a format to be ingested by another computer (the format, I supplied).
(Before I go on making suggestions, I should point out that I don't speak for the maintainers. I'm just a satisfied user with an opinion.)
That does help. Thanks. However what other credential process uses this JSON format?
Hmm, I don't know of anywhere you'd use this JSON format besides the AWS CLI/SDKs.
I could see a use-case where someone might want to provide those credentials in a format to be ingested by another computer (the format, I supplied).
Since aws-vault exec sets environment variables, you can echo them if you need to. Examples:
# Mac/Linux
$ aws-vault exec my_profile -- env | grep "^AWS" | sed -e 's/^/export /'
# Windows
PS C:\> aws-vault exec my_profile -- powershell 'ls env:AWS* | % { write-host -nonewline "set $_.name = $($_.value)`n" }'
Separately, the discussions in #218 or #623 may be useful or interesting for you. The first because it's also about echoing environment variables, and the second because it touches on using the contrib directory for helper scripts that complement aws-vault without changing core behavior.
I would also love to see this incorporated into aws-vault itself.
I've been using something similar:
aws_vault_export() {
aws-vault exec "$1" -- env | grep AWS | egrep -v 'AWS_PAGER|AWS_VAULT' | sed -e 's/^/export\ /'
}
I need to exclude AWS_PAGER because it contains spaces.
I exclude AWS_VAULT so I can switch between roles within the same shell. I find this workflow more streamlined than opening a subshell for each role. Nested shells gets confusing pretty quickly. The alternative is to prefix every single command with aws-vault but this gets clumbersome as I move between multiple commands that need creds. Plus there's a perceptible delay for every invocation of aws-vault when it makes an AssumeRole call.
Having the above builtin to aws-vault would be super nice, and I think comparable to aws-vault exec in terms of security posture just without the nested shells?
I use jq for situations where I need this. You can this to your ~/.jq file:
def aws_vault_vars:
(
"export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\n"
+ "export AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\n"
+ "export AWS_SESSION_TOKEN=\(.SessionToken)\n"
+ "export AWS_SECURITY_TOKEN=\(.SessionToken)\n"
)
;
Then run aws-vault exec -j <profile> | jq -r aws_vault_vars to produce bash-compatible environment variables. It should be pretty easy to adapt for other shells as well.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks @irgeek I like your solution and will give it a go. Still hoping this can be addressed within aws-vault itself. 🤞
After looking into aws-vault exec -j further it looks like it doesn't provide the AWS region. Whereas aws-vault exec <profile> -- env will set AWS_DEFAULT_REGION and AWS_REGION. I have different profiles with different regions so unfortunately aws-vault exec -j might not work for me.
