aws-vault icon indicating copy to clipboard operation
aws-vault copied to clipboard

Published 20 hours ago verified publisher icon 99designs

Rebooted My Laptop and Can No Longer Log In

Open MarkZuckerbergLovesYourDataNomNomNom opened this issue 3 years ago • 3 comments

I am using the latest release of AWS Vault (6.4.0) I have provided my .aws/config (redacted if necessary) I have provided the debug output using aws-vault --debug (redacted if necessary)

$ aws-vault clear organization-me
Cleared 1 sessions.
$ aws-vault --debug exec organization-ua sts get-caller-identity
2022/01/22 11:27:29 aws-vault 6.4.0
2022/01/22 11:27:29 Loading config file /home/me/.aws/config
2022/01/22 11:27:29 Parsing config file /home/me/.aws/config
2022/01/22 11:27:29 [keyring] Considering backends: [secret-service]
2022/01/22 11:27:29 profile organization-me: using stored credentials
2022/01/22 11:27:29 profile organization-me: using GetSessionToken (with MFA)
2022/01/22 11:27:29 profile organization-ua: using AssumeRole (chained MFA)
Enter MFA code for arn:aws:iam::111111111111:mfa/me: 111111
2022/01/22 11:27:43 Looking up keyring for 'organization-me'
2022/01/22 11:27:43 Generated credentials ****************ABCD using GetSessionToken, expires in 7h59m59.249730571s
aws-vault: error: exec: Failed to get credentials for organization-ua: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: <some-id>, api error AccessDenied: User: arn:aws:iam::111111111111:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/MySpecialRole

[default]
region = us-east-1
output = json

[profile organization-me]
mfa_serial = arn:aws:iam::111111111111:mfa/me

[profile organization-ua]
source_profile = organization-me
role_session_name_ = organization-ua
role_arn = arn:aws:iam::111111111111:role/MySpecialRole
mfa_serial = arn:aws:iam::111111111111:mfa/me

Everything worked fine yesterday, after I rebooted my PC (Fedora 35) this morning I can't log in via aws-vault anymore. I am able to login and assume role just fine from the console, I am not sure how to debug what is going on here

MarkZuckerbergLovesYourDataNomNomNom avatar Jan 22 '22 16:01 MarkZuckerbergLovesYourDataNomNomNom

👍

I'm having the exact same issue. Everything seems to be configured correctly but AWS Vault is telling me that my user is not authorized to assume the role. I can do it in AWS Console just fine, so I'm lost as to what's causing this.

devinnasar avatar Feb 01 '22 20:02 devinnasar 

AccessDenied: User: arn:aws:iam::111111111111:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/MySpecialRole

aws-vault wouldn't be able to fix an issue where an IAM user isn't allowed to assume a role. Make sure that you are authorised to assume the target role.

sftim avatar Feb 14 '22 13:02 sftim

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 21 '22 03:09 stale[bot]