aws-vault icon indicating copy to clipboard operation
aws-vault copied to clipboard

Published 20 hours ago verified publisher icon 99designs

Can't set credentials for a profile with a `source_profile` directive to itself

Open ArkadyDR opened this issue 3 years ago • 1 comments

  • [x] I am using the latest release of AWS Vault (6.3.1)
  • [x] I have provided my .aws/config (redacted if necessary)
  • [x] I have provided the debug output using aws-vault --debug (redacted if necessary)
[profile base]
output=json
region=us-west-2
source_profile=base

[profile role]
include_profile=base
role_arn=arn:aws:iam::############:role/################

λ aws-vault add base --debug
2022/01/07 14:08:23 aws-vault v6.3.1
2022/01/07 14:08:23 [keyring] Considering backends: [wincred]
2022/01/07 14:08:23 Loading config file C:\Users\########\.aws\config
2022/01/07 14:08:23 Parsing config file C:\Users\########\.aws\config
aws-vault: error: add: Your profile has a source_profile of base, adding credentials to base won't have any effect

I followed some suggestions in another issue/PR to structure the profiles this way, so that include_profile (the AWS directive) pulls in the source_profile (the AWS-Vault directive) into each of the role profiles in addition to the default region/output directives etc. I thought this was a better way of laying it out as I don't then need to add source_profile to every role profile I create.

I think aws-vault might just need a bit of logic to check if the source_profile directive is referring to itself when it does the check I ran into, if it is self referential then it's fine to set the credentials.

Workaround is just to comment out the line temporarily while setting the credentials.

Edit: https://github.com/99designs/aws-vault/blob/dd95b3a06939826d7dbea236f2000af3f9d8aeac/cli/add.go#L56 is the check in question.

ArkadyDR avatar Jan 07 '22 06:01 ArkadyDR

This is still an issue in the current (v6.6.0) version of aws-vault.

Our current workaround process (using the base profile name above as an example):

  1. Add the [profile base] block as above, leaving the source_profile=base line commented out
  2. Add the account via aws-vault add base
  3. Uncomment the source_profile=base line

At this point, aws-vault exec base commands work successfully. It would be nice to not have to perform these additional manual steps, however.

bleachbyte avatar May 18 '22 22:05 bleachbyte

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] avatar Feb 21 '23 10:02 github-actions[bot]