leapp icon indicating copy to clipboard operation
leapp copied to clipboard

Published 20 hours ago verified publisher icon Noovolari

[macOS] Constant "keychain access" prompt appears

Open yafanasiev opened this issue 2 years ago • 2 comments

Describe the bug Each time a session credentials are refreshed, a system popup asking for keychain access appears. It will continue to appear even if "Always allow" is selected.

Leapp Version 0.13.2

To Reproduce Steps to reproduce the behavior:

  1. Set "AWS credentials generation" method to "credential-process".
  2. Add a new AWS SSO integration with auth method "in-browser".
  3. Login to SSO integration.
  4. Start one of the synchronised sessions. Upon first request to AWS with this session, a system prompt for keychain access will appear. Enter system password and click on "Always allow".
  5. Wait for SSO session to end (without stopping the active session).
  6. Login to SSO integration again (without stopping the active session).
  7. Try to make a new request to AWS (e.g. aws cli command). Keychain prompt appears again.

Expected behavior Keychain prompt should only appear once if "Always allow" is selected. Screenshot 2022-08-05 at 18 29 41

Desktop (please complete the following information):

  • OS: MacOS Monterey 12.5 (M1)
  • Leapp Version: 0.13.2
  • Leapp CLI version: @noovolari/leapp-cli/0.1.16 darwin-x64 node-v16.16.0
  • Installation method: Homebrew

Additional context Same popup appears from time to time when clicking "login" from SSO integration, only this time it is not for node process (which is I assume is the Leapp CLI) but for "Leapp Helper (Renderer)" (which seems to be Electron). I tried setting the permission for Leapp entry in Keychain Access to "allow all" manually, but that did not work because apparently Leapp creates a new key each time. Now I understand that macOS security system is tricky and restrictive, but I would appreciate if this could be resolved or maybe there is a trick to work around it. I do like the Leapp CLI integration because I do not need to create profiles manually anymore for AWS CLI, but it is very annoying when you have a lot of session from SSO integration and need to type in password multiple time each day.

yafanasiev avatar Aug 05 '22 15:08 yafanasiev

Thanks for reporting. I dug in the electron documentation and found that could be a problem get/set operations from the renderer process, which could only happen with "credential-process" auth method. I'll check with @ericvilla and @urz9999

pethron avatar Aug 06 '22 11:08 pethron

Having this issue myself. I get the following prompts:

Screen Shot 2022-08-09 at 12 18 36 PM Screen Shot 2022-08-09 at 12 19 22 PM

bradj avatar Aug 09 '22 17:08 bradj

fixed in v0.14.2.

Closing this issue

andreacavagna01 avatar Aug 25 '22 15:08 andreacavagna01