[login] allow to run aws-vault login with non-temporary credentials in the environment

Author: christophetd

USAGE.md

@@ -307,11 +307,13 @@ You can use the `aws-vault login` command to open a browser window and login to
 $ aws-vault login work
 ```
 
-If you have temporary STS credentials already available in your environment, you can have aws-vault use these credentials to sign you in.
-This is useful when you had to use something else than aws-vault to retrieve temporary credentials:
+If you have credentials already available in your environment, you can have aws-vault use these credentials to sign you in.
+This is useful when you had to use something else than aws-vault to retrieve credentials:
 
 ```shell
-# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN must be set in your environment prior to running the below
+# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN must be set in your environment prior to running the below
+# If AWS_SESSION_TOKEN is not set, a call to sts:GetFederationToken will be issued to retrieve temporary credentials, 
+# require to be able to generate a sign-in link to the AWS console
 $ aws-vault login
 ```
 

cli/login.go

@@ -92,13 +92,13 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 	}
 
 	var credsProvider aws.CredentialsProvider
+	var creds aws.Credentials
 
+	// Use a profile from the AWS config file
+	ckr := &vault.CredentialKeyring{Keyring: keyring}
 	if input.ProfileName == "" {
-		// When no profile is specified, source credentials from the environment
-		credsProvider = vault.NewEnvironmentCredentialsProvider()
+		creds, err = retrieveTemporaryCredsFromEnvironment(config)
 	} else {
-		// Use a profile from the AWS config file
-		ckr := &vault.CredentialKeyring{Keyring: keyring}
 		if config.HasRole() || config.HasSSOStartURL() {
 			// If AssumeRole or sso.GetRoleCredentials isn't used, GetFederationToken has to be used for IAM credentials
 			credsProvider, err = vault.NewTempCredentialsProvider(config, ckr)
@@ -108,22 +108,15 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 		if err != nil {
 			return fmt.Errorf("profile %s: %w", input.ProfileName, err)
 		}
+		creds, err = credsProvider.Retrieve(context.TODO())
 	}
 
-	creds, err := credsProvider.Retrieve(context.TODO())
 	if err != nil {
 		return fmt.Errorf("Failed to get credentials: %w", err)
 	}
 	if creds.AccessKeyID == "" && input.ProfileName == "" {
 		return fmt.Errorf("argument 'profile' not provided, nor any AWS env vars found. Try --help")
 	}
-	if creds.SessionToken == "" {
-		// When sourcing credentials from the environment, it's possible a session token wasn't set
-		// Generating a sign-in link requires temporary credentials, so we return an error
-		// NOTE: We deliberately chose to have this logic here rather than in 'EnvironmentVariablesCredentialsProvider'
-		// to make it possible to reuse it for other commands than `aws-vault login` in the future
-		return fmt.Errorf("failed to retrieve a session token. Cannot generate a login URL without it")
-	}
 
 	jsonBytes, err := json.Marshal(map[string]string{
 		"sessionId":    creds.AccessKeyID,
@@ -191,6 +184,39 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 	return nil
 }
 
+// retrieveTemporaryCredsFromEnvironment contains the logic to retrieve the proper credentials
+// from the environment.
+// - Case 1: Temporary credentials are available - these are directly returned
+// - Case 2: Non-temporary credentials are available. A call to sts:GetFederation is made, and the resulting temporary
+//			 credentials returned
+func retrieveTemporaryCredsFromEnvironment(config *vault.Config) (aws.Credentials, error) {
+	// When no profile is specified, source credentials from the environment
+	credsProvider := vault.NewEnvironmentCredentialsProvider()
+	creds, err := credsProvider.Retrieve(context.TODO())
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("unable to find credentials in your environment")
+	}
+
+	// If the credentials we found in the environment aren't temporary,
+	// use sts:GetFederationToken to get temporary credentials
+	// allowing to generate a sign-in link.
+	// Non-temporary credentials cannot be used for this purpose
+	if creds.SessionToken == "" {
+		credsProvider, err := vault.NewFederationTokenCredentialsProviderFromCredentials(&creds, config)
+		if err != nil {
+			return aws.Credentials{}, err
+		}
+
+		creds, err = credsProvider.Retrieve(context.TODO())
+		if err != nil {
+			err = fmt.Errorf("non-temporary credentials found in your environment, and calling GetFederationToken resulted in: " + err.Error())
+			return aws.Credentials{}, err
+		}
+	}
+
+	return creds, nil
+}
+
 func generateLoginURL(region string, path string) (string, string) {
 	loginURLPrefix := "https://signin.aws.amazon.com/federation"
 	destination := "https://console.aws.amazon.com/"

go.mod

@@ -5,12 +5,13 @@ go 1.17
 require (
 	github.com/99designs/keyring v1.2.1
 	github.com/alecthomas/kingpin v0.0.0-20200323085623-b6657d9477a6
-	github.com/aws/aws-sdk-go-v2 v1.16.2
-	github.com/aws/aws-sdk-go-v2/config v1.15.3
-	github.com/aws/aws-sdk-go-v2/service/iam v1.18.3
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.3
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.3
-	github.com/aws/aws-sdk-go-v2/service/sts v1.16.3
+	github.com/aws/aws-sdk-go-v2 v1.15.0
+	github.com/aws/aws-sdk-go-v2/config v1.14.0
+	github.com/aws/aws-sdk-go-v2/credentials v1.9.0
+	github.com/aws/aws-sdk-go-v2/service/iam v1.18.0
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.0
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.0
+	github.com/aws/aws-sdk-go-v2/service/sts v1.15.0
 	github.com/google/go-cmp v0.5.7
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a
@@ -22,13 +23,12 @@ require (
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 // indirect
-	github.com/aws/smithy-go v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.6 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0 // indirect
+	github.com/aws/smithy-go v1.11.1 // indirect
 	github.com/danieljoos/wincred v1.1.2 // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect

go.sum

@@ -10,36 +10,37 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
+github.com/aws/aws-sdk-go-v2 v1.14.0/go.mod h1:ZA3Y8V0LrlWj63MQAnRHgKf/5QB//LSZCPNWlWrNGLU=
+github.com/aws/aws-sdk-go-v2 v1.15.0 h1:f9kWLNfyCzCB43eupDAk3/XgJ2EpgktiySD6leqs0js=
 github.com/aws/aws-sdk-go-v2 v1.15.0/go.mod h1:lJYcuZZEHWNIb6ugJjbQY1fykdoobWbOS7kJYb4APoI=
-github.com/aws/aws-sdk-go-v2 v1.16.2 h1:fqlCk6Iy3bnCumtrLz9r3mJ/2gUT0pJ0wLFVIdWh+JA=
-github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU=
-github.com/aws/aws-sdk-go-v2/config v1.15.3 h1:5AlQD0jhVXlGzwo+VORKiUuogkG7pQcLJNzIzK7eodw=
-github.com/aws/aws-sdk-go-v2/config v1.15.3/go.mod h1:9YL3v07Xc/ohTsxFXzan9ZpFpdTOFl4X65BAKYaz8jg=
-github.com/aws/aws-sdk-go-v2/credentials v1.11.2 h1:RQQ5fzclAKJyY5TvF+fkjJEwzK4hnxQCLOu5JXzDmQo=
-github.com/aws/aws-sdk-go-v2/credentials v1.11.2/go.mod h1:j8YsY9TXTm31k4eFhspiQicfXPLZ0gYXA50i4gxPE8g=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 h1:LWPg5zjHV9oz/myQr4wMs0gi4CjnDN/ILmyZUFYXZsU=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3/go.mod h1:uk1vhHHERfSVCUnqSqz8O48LBYDSC+k6brng09jcMOk=
+github.com/aws/aws-sdk-go-v2/config v1.14.0 h1:Yr8/7R6H8nqqfqgLATrcB83ax6FE2HcDXEB54XPhE98=
+github.com/aws/aws-sdk-go-v2/config v1.14.0/go.mod h1:GKDRrvsq/PTaOYc9252u8Uah1hsIdtor4oIrFvUNPNM=
+github.com/aws/aws-sdk-go-v2/credentials v1.9.0 h1:R3Q5s1uGLUg0aUzi+oRaUqRXhd17G/9+PiVnAwXp4sY=
+github.com/aws/aws-sdk-go-v2/credentials v1.9.0/go.mod h1:PyHKqk/+tJuDY7T8R580S1j/AcSD+ODeUZ99CAUKLqQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0 h1:CkM4d3lNeMXMZ0BDX3BtCktnKA1Ftud84Hb6d+Ix4Rk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0/go.mod h1:rwdUKJV5rm+vHu1ncD1iGDqahBEL8O0tBjVqo9eO2N0=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5/go.mod h1:2hXc8ooJqF2nAznsbJQIn+7h851/bu8GVC80OVTTqf8=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.6 h1:xiGjGVQsem2cxoIX61uRGy+Jux2s9C/kKbTrWLdrU54=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.6/go.mod h1:SSPEdf9spsFgJyhjrXvawfpyzrXHBCUe+2eQ1CjC1Ak=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 h1:onz/VaaxZ7Z4V+WIN9Txly9XLTmoOh1oJ8XcAC3pako=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9/go.mod h1:AnVH5pvai0pAF4lXRq0bmhbes1u9R8wTE+g+183bZNM=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0/go.mod h1:miRSv9l093jX/t/j+mBCaLqFHo9xKYzJ7DGm1BsGoJM=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.0 h1:bt3zw79tm209glISdMRCIVRCwvSDXxgAxh5KWe2qHkY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.0/go.mod h1:viTrxhAuejD+LszDahzAE2x40YjYWhMqzHxv2ZiWaME=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 h1:9stUQR/u2KXU6HkFJYlqnZEjBnbgrVbG6I5HN09xZh0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3/go.mod h1:ssOhaLpRlh88H3UmEcsBoVKq309quMvm3Ds8e9d4eJM=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 h1:by9P+oy3P/CwggN4ClnW2D4oL91QV7pBzBICi1chZvQ=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10/go.mod h1:8DcYQcz0+ZJaSxANlHIsbbi6S+zMwjwdDqwW3r9AzaE=
-github.com/aws/aws-sdk-go-v2/service/iam v1.18.3 h1:wllKL2fLtvfaNAVbXKMRmM/mD1oDNw0hXmDn8mE/6Us=
-github.com/aws/aws-sdk-go-v2/service/iam v1.18.3/go.mod h1:51xGfEjd1HXnTzw2mAp++qkRo+NyGYblZkuGTsb49yw=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 h1:Gh1Gpyh01Yvn7ilO/b/hr01WgNpaszfbKMUgqM186xQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3/go.mod h1:wlY6SVjuwvh3TVRpTqdy4I1JpBFLX4UGeKZdWntaocw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.11.3 h1:frW4ikGcxfAEDfmQqWgMLp+F1n4nRo9sF39OcIb5BkQ=
-github.com/aws/aws-sdk-go-v2/service/sso v1.11.3/go.mod h1:7UQ/e69kU7LDPtY40OyoHYgRmgfGM4mgsLYtcObdveU=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.3 h1:Sz69LcNwUgqpso47UM47ZoyX+DJ2oN/0NykiMokBk4o=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.3/go.mod h1:SkOxNZFD2bxcGrQzwac0ZTC9ewY8+3tWgMD8LyqM8mU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.16.3 h1:cJGRyzCSVwZC7zZZ1xbx9m32UnrKydRYhOvcD1NYP9Q=
-github.com/aws/aws-sdk-go-v2/service/sts v1.16.3/go.mod h1:bfBj0iVmsUyUg4weDB4NxktD9rDGeKSVWnjTnwbx9b8=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6 h1:c8s9EhIPVFMFS+R1+rtEghGrf7v83gSUWbcCYX/OPes=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6/go.mod h1:o1ippSg3yJx5EuT4AOGXJCUcmt5vrcxla1cg6K1Q8Iw=
+github.com/aws/aws-sdk-go-v2/service/iam v1.18.0 h1:ZYpP40/QE7/R0zDxdrZyGGUijX26iB+Pint/NYzF/tQ=
+github.com/aws/aws-sdk-go-v2/service/iam v1.18.0/go.mod h1:9wRsXAkRJ7qBWIDTFYa66Cx+oQJsPEnBYCPrinanpS8=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0 h1:JNMALY8/ZnFsfAzBHtC4gq8JeZPANmIoI2VaBgYzbf8=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0/go.mod h1:rBDLgXDAwHOfxZKLRDl8OGTPzFDC+a2pLqNNj8+QwfI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.10.0/go.mod h1:m1CRRFX7eH3EE6w0ntdu+lo+Ph9VS7y8qRV/vdym0ZY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.0 h1:gZLEXLH6NiU8Y52nRhK1jA+9oz7LZzBK242fi/ziXa4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.0/go.mod h1:d1WcT0OjggjQCAdOkph8ijkr5sUwk1IH/VenOn7W1PU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.0 h1:4XqJtMG9sCqgmOpZXaZ7hP3pMi4xFvQgld5Ii4qQfUU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.0/go.mod h1:tA3OAtm58sKX67hc188WPbcIgJpnPMDXC0R+3qRmBbs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.15.0 h1:zC/vHxWTlqZ0tIPJItg0zWHsa25cH7tXsUknSGcH39o=
+github.com/aws/aws-sdk-go-v2/service/sts v1.15.0/go.mod h1:E264g2Gl5U9KTGzmd8ypGEAoh75VmqyuA/Ox5O1eRE4=
+github.com/aws/smithy-go v1.11.0/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
+github.com/aws/smithy-go v1.11.1 h1:IQ+lPZVkSM3FRtyaDox41R8YS6iwPMYIreejOgPW49g=
 github.com/aws/smithy-go v1.11.1/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
-github.com/aws/smithy-go v1.11.2 h1:eG/N+CcUMAvsdffgMvjMKwfyDzIkjM6pfxMJ8Mzc6mE=
-github.com/aws/smithy-go v1.11.2/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
 github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
 github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

vault/vault.go

@@ -10,6 +10,7 @@ import (
 	"github.com/99designs/aws-vault/v6/prompt"
 	"github.com/99designs/keyring"
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/sso"
 	"github.com/aws/aws-sdk-go-v2/service/ssooidc"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
@@ -276,16 +277,29 @@ func NewFederationTokenCredentialsProvider(profileName string, k *CredentialKeyr
 	}
 
 	masterCreds := NewMasterCredentialsProvider(k, credentialsName)
-	cfg := NewAwsConfigWithCredsProvider(masterCreds, config.Region, config.STSRegionalEndpoints)
+	awsConfig := NewAwsConfigWithCredsProvider(masterCreds, config.Region, config.STSRegionalEndpoints)
 
-	currentUsername, err := GetUsernameFromSession(cfg)
+	return newFederationTokenCredentialsProvider(awsConfig, config)
+}
+
+func NewFederationTokenCredentialsProviderFromCredentials(creds *aws.Credentials, config *Config) (aws.CredentialsProvider, error) {
+	credentialsProvider := credentials.NewStaticCredentialsProvider(creds.AccessKeyID, creds.SecretAccessKey, "")
+	awsConfig := NewAwsConfigWithCredsProvider(credentialsProvider, config.Region, config.STSRegionalEndpoints)
+
+	return newFederationTokenCredentialsProvider(awsConfig, config)
+}
+
+// utility function to avoid code duplication
+// in NewFederationTokenCredentialsProvider and NewFederationTokenCredentialsProviderFromCredentials
+func newFederationTokenCredentialsProvider(awsConfig aws.Config, config *Config) (aws.CredentialsProvider, error) {
+	currentUsername, err := GetUsernameFromSession(awsConfig)
 	if err != nil {
 		return nil, err
 	}
 
 	log.Printf("Using GetFederationToken for credentials")
 	return &FederationTokenProvider{
-		StsClient: sts.NewFromConfig(cfg),
+		StsClient: sts.NewFromConfig(awsConfig),
 		Name:      currentUsername,
 		Duration:  config.GetFederationTokenDuration,
 	}, nil