aws-vault icon indicating copy to clipboard operation
aws-vault copied to clipboard

Published 20 hours ago verified publisher icon 99designs

Linux version of 6.6.0 always complains about specified keyring backend

Open SMillerDev opened this issue 2 years ago • 7 comments

  • [x] I am using the latest release of AWS Vault
  • [ ] I have provided my .aws/config (redacted if necessary)
  • [x] I have provided the debug output using aws-vault --debug (redacted if necessary)

Homebrew is encountering this in the attempts to build 6.6.0

$ /home/linuxbrew/.linuxbrew/Cellar/aws-vault/6.6.0/bin/aws-vault login --debug 2>&1
2022/03/14 08:19:28 aws-vault 6.6.0-Homebrew
2022/03/14 08:19:28 [keyring] Considering backends: [keyctl]
2022/03/14 08:19:28 [keyring] Failed backend keyctl: accessing "" keyring failed: unknown scope ""
aws-vault: error: Specified keyring backend not available, try --help

As you can see in the command though, no backend is specified so it's odd that it's reporting that as unavailable.

This is a continuation of https://github.com/99designs/aws-vault/issues/889 with a clearer description of the problem that we're seeing in the Homebrew builds of this project.

SMillerDev avatar Mar 14 '22 11:03 SMillerDev

This happens because Config.KeyCtlScope is never initialized and defaults to an empty string (which is not a valid option). So during the initialization getKeyringForScope fails with this "unknown scope %q". To my understanding, keyctl backend in 6.5 and 6.6 is unusable, as there is no way to provide the scope.

Based on the "Considering backends: [keyctl]" it looks that it was explicitly selected with AWS_VAULT_BACKEND (I assume this because there's no "file" backend listed, which should only happen if backend is explicitly set. Or, well, if they the keyring library is patched). I've no idea what Homebrew does and why it tries to use this backend.

drdaeman avatar Mar 15 '22 01:03 drdaeman

Homebrew doesn't try anything special. It builds using make and make install and after it just runs the command I posted without any environment variables set.

It appears to me that this is the default.

SMillerDev avatar Mar 15 '22 07:03 SMillerDev

After updating WSL to Ubuntu 21.04 and reinstalling aws-vault using brew, this issue went away. It was present on Ubuntu 20.04.

I still ran into other issues though since I didn't have a GUI popup for the password input.

zmikaya-lh avatar Mar 29 '22 15:03 zmikaya-lh

I ran into the same issue on Ubuntu 22.04:

$ aws-vault list
aws-vault: error: Specified keyring backend not available, try --help

$ aws-vault --debug exec test
2022/04/28 12:28:58 aws-vault v6.6.0
2022/04/28 12:28:58 Loading config file /home/marco/.aws/config
2022/04/28 12:28:58 Parsing config file /home/marco/.aws/config
2022/04/28 12:28:58 [keyring] Considering backends: [keyctl]
2022/04/28 12:28:58 [keyring] Failed backend keyctl: accessing "" keyring failed: unknown scope ""
aws-vault: error: Specified keyring backend not available, try --help

I installed aws-vault manually with the following commands:

wget https://github.com/99designs/aws-vault/releases/download/v6.6.0/aws-vault-linux-amd64
chmod +x ./aws-vault-linux-amd64
sudo mv aws-vault-linux-amd64 /usr/local/bin/aws-vault

It worked using --backend=pass after I initialized pass with a gpg key:

$ aws-vault list --backend=pass
Profile                  Credentials              Sessions
=======                  ===========              ========
default                  -                        -
-                        foo                      -

To avoid having to use --backend=pass append the following line to your ~/.profile:

export AWS_VAULT_BACKEND=pass

lackovic avatar Apr 28 '22 09:04 lackovic

You need to check what is you keyring manager, by installing a new one or using default. To me it worked on WSL 2 ubuntu 20+ Insert on your ~/.profile export AWS_VAULT_BACKEND=file

nordras avatar Jul 05 '22 14:07 nordras

@nordras thank you, I am running in a docker container where I'd prefer to avoid installing extra keychain dependencies (keyctl, gnome-keyring, etc). What is the significance of setting the backend to file? I can't find it documented what that means... Is aws vault just writing my credentials to a plain text (or encrypted?) file? Thanks

evbo avatar Jul 14 '22 15:07 evbo

Seems like the new versions of OS's based on UNIX already have a default keychain feature, it seems like it's writing the credentials on an encrypted config file, I saw these configurations by looking into the add function code, there some time that I made it, so I'm not 100% sure @evbo, you welcome!

nordras avatar Jul 14 '22 18:07 nordras

So I just ran into this. It was working about a week or two ago, so no version update.

The trouble is that I have already added the credentials, and setting the backend to file will just leave it blank.

I do see this file modified a while ago: ~/.local/share/keyrings/awsvault.keyring

It appears the system has stopped using it?

Sarke avatar Sep 27 '22 21:09 Sarke 

$ aws-vault list --backend=secret-service --debug               
2022/09/27 14:53:59 aws-vault 6.6.0-Homebrew
2022/09/27 14:53:59 [keyring] Considering backends: [secret-service]
2022/09/27 14:53:59 [keyring] Failed backend secret-service: Algorithm plain is not supported. (only dh-ietf1024-sha256-aes128-cbc-pkcs7 is supported)
aws-vault: error: Specified keyring backend not available, try --help

Maybe an update to disabled plain as too unsecure?

Sarke avatar Sep 27 '22 22:09 Sarke

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] avatar Sep 12 '23 10:09 github-actions[bot]