[login] allow to run aws-vault login with non-temporary credentials in the environment

christophetd · christophetd · commit 869aa34e221b · 2022-07-20T11:51:25.000+02:00
diff --git a/USAGE.md b/USAGE.md
@@ -307,11 +307,13 @@ You can use the `aws-vault login` command to open a browser window and login to
 $ aws-vault login work
 ```
 
-If you have temporary STS credentials already available in your environment, you can have aws-vault use these credentials to sign you in.
-This is useful when you had to use something else than aws-vault to retrieve temporary credentials:
+If you have credentials already available in your environment, you can have aws-vault use these credentials to sign you in.
+This is useful when you had to use something else than aws-vault to retrieve credentials:
 
 ```shell
-# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN must be set in your environment prior to running the below
+# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN must be set in your environment prior to running the below
+# If AWS_SESSION_TOKEN is not set, a call to sts:GetFederationToken will be issued to retrieve temporary credentials, 
+# require to be able to generate a sign-in link to the AWS console
 $ aws-vault login
 ```
 
diff --git a/cli/login.go b/cli/login.go
@@ -92,13 +92,13 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 	}
 
 	var credsProvider aws.CredentialsProvider
+	var creds aws.Credentials
 
+	// Use a profile from the AWS config file
+	ckr := &vault.CredentialKeyring{Keyring: keyring}
 	if input.ProfileName == "" {
-		// When no profile is specified, source credentials from the environment
-		credsProvider = vault.NewEnvironmentCredentialsProvider()
+		creds, err = retrieveTemporaryCredsFromEnvironment(config)
 	} else {
-		// Use a profile from the AWS config file
-		ckr := &vault.CredentialKeyring{Keyring: keyring}
 		if config.HasRole() || config.HasSSOStartURL() {
 			// If AssumeRole or sso.GetRoleCredentials isn't used, GetFederationToken has to be used for IAM credentials
 			credsProvider, err = vault.NewTempCredentialsProvider(config, ckr)
@@ -108,22 +108,15 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 		if err != nil {
 			return fmt.Errorf("profile %s: %w", input.ProfileName, err)
 		}
+		creds, err = credsProvider.Retrieve(context.TODO())
 	}
 
-	creds, err := credsProvider.Retrieve(context.TODO())
 	if err != nil {
 		return fmt.Errorf("Failed to get credentials: %w", err)
 	}
 	if creds.AccessKeyID == "" && input.ProfileName == "" {
 		return fmt.Errorf("argument 'profile' not provided, nor any AWS env vars found. Try --help")
 	}
-	if creds.SessionToken == "" {
-		// When sourcing credentials from the environment, it's possible a session token wasn't set
-		// Generating a sign-in link requires temporary credentials, so we return an error
-		// NOTE: We deliberately chose to have this logic here rather than in 'EnvironmentVariablesCredentialsProvider'
-		// to make it possible to reuse it for other commands than `aws-vault login` in the future
-		return fmt.Errorf("failed to retrieve a session token. Cannot generate a login URL without it")
-	}
 
 	jsonBytes, err := json.Marshal(map[string]string{
 		"sessionId":    creds.AccessKeyID,
@@ -191,6 +184,39 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 	return nil
 }
 
+// retrieveTemporaryCredsFromEnvironment contains the logic to retrieve the proper credentials
+// from the environment.
+// - Case 1: Temporary credentials are available - these are directly returned
+// - Case 2: Non-temporary credentials are available. A call to sts:GetFederation is made, and the resulting temporary
+//			 credentials returned
+func retrieveTemporaryCredsFromEnvironment(config *vault.Config) (aws.Credentials, error) {
+	// When no profile is specified, source credentials from the environment
+	credsProvider := vault.NewEnvironmentCredentialsProvider()
+	creds, err := credsProvider.Retrieve(context.TODO())
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("unable to find credentials in your environment")
+	}
+
+	// If the credentials we found in the environment aren't temporary,
+	// use sts:GetFederationToken to get temporary credentials
+	// allowing to generate a sign-in link.
+	// Non-temporary credentials cannot be used for this purpose
+	if creds.SessionToken == "" {
+		credsProvider, err := vault.NewFederationTokenCredentialsProviderFromCredentials(&creds, config)
+		if err != nil {
+			return aws.Credentials{}, err
+		}
+
+		creds, err = credsProvider.Retrieve(context.TODO())
+		if err != nil {
+			err = fmt.Errorf("non-temporary credentials found in your environment, and calling GetFederationToken resulted in: " + err.Error())
+			return aws.Credentials{}, err
+		}
+	}
+
+	return creds, nil
+}
+
 func generateLoginURL(region string, path string) (string, string) {
 	loginURLPrefix := "https://signin.aws.amazon.com/federation"
 	destination := "https://console.aws.amazon.com/"
diff --git a/go.mod b/go.mod
@@ -5,12 +5,13 @@ go 1.17
 require (
 	github.com/99designs/keyring v1.2.1
 	github.com/alecthomas/kingpin v0.0.0-20200323085623-b6657d9477a6
-	github.com/aws/aws-sdk-go-v2 v1.16.2
-	github.com/aws/aws-sdk-go-v2/config v1.15.3
-	github.com/aws/aws-sdk-go-v2/service/iam v1.18.3
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.3
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.3
-	github.com/aws/aws-sdk-go-v2/service/sts v1.16.3
+	github.com/aws/aws-sdk-go-v2 v1.15.0
+	github.com/aws/aws-sdk-go-v2/config v1.14.0
+	github.com/aws/aws-sdk-go-v2/credentials v1.9.0
+	github.com/aws/aws-sdk-go-v2/service/iam v1.18.0
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.0
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.0
+	github.com/aws/aws-sdk-go-v2/service/sts v1.15.0
 	github.com/google/go-cmp v0.5.7
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a
@@ -22,13 +23,12 @@ require (
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 // indirect
-	github.com/aws/smithy-go v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.6 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0 // indirect
+	github.com/aws/smithy-go v1.11.1 // indirect
 	github.com/danieljoos/wincred v1.1.2 // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
diff --git a/vault/vault.go b/vault/vault.go
@@ -10,6 +10,7 @@ import (
 	"github.com/99designs/aws-vault/v6/prompt"
 	"github.com/99designs/keyring"
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/sso"
 	"github.com/aws/aws-sdk-go-v2/service/ssooidc"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
@@ -276,16 +277,29 @@ func NewFederationTokenCredentialsProvider(profileName string, k *CredentialKeyr
 	}
 
 	masterCreds := NewMasterCredentialsProvider(k, credentialsName)
-	cfg := NewAwsConfigWithCredsProvider(masterCreds, config.Region, config.STSRegionalEndpoints)
+	awsConfig := NewAwsConfigWithCredsProvider(masterCreds, config.Region, config.STSRegionalEndpoints)
 
-	currentUsername, err := GetUsernameFromSession(cfg)
+	return newFederationTokenCredentialsProvider(awsConfig, config)
+}
+
+func NewFederationTokenCredentialsProviderFromCredentials(creds *aws.Credentials, config *Config) (aws.CredentialsProvider, error) {
+	credentialsProvider := credentials.NewStaticCredentialsProvider(creds.AccessKeyID, creds.SecretAccessKey, "")
+	awsConfig := NewAwsConfigWithCredsProvider(credentialsProvider, config.Region, config.STSRegionalEndpoints)
+
+	return newFederationTokenCredentialsProvider(awsConfig, config)
+}
+
+// utility function to avoid code duplication
+// in NewFederationTokenCredentialsProvider and NewFederationTokenCredentialsProviderFromCredentials
+func newFederationTokenCredentialsProvider(awsConfig aws.Config, config *Config) (aws.CredentialsProvider, error) {
+	currentUsername, err := GetUsernameFromSession(awsConfig)
 	if err != nil {
 		return nil, err
 	}
 
 	log.Printf("Using GetFederationToken for credentials")
 	return &FederationTokenProvider{
-		StsClient: sts.NewFromConfig(cfg),
+		StsClient: sts.NewFromConfig(awsConfig),
 		Name:      currentUsername,
 		Duration:  config.GetFederationTokenDuration,
 	}, nil

-Original file line number
+Diff line change
 require (
 	github.com/99designs/keyring v1.2.1
 	github.com/alecthomas/kingpin v0.0.0-20200323085623-b6657d9477a6
 -	github.com/aws/aws-sdk-go-v2 v1.16.2
 -	github.com/aws/aws-sdk-go-v2/config v1.15.3
 -	github.com/aws/aws-sdk-go-v2/service/iam v1.18.3
 -	github.com/aws/aws-sdk-go-v2/service/sso v1.11.3
 -	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.3
 -	github.com/aws/aws-sdk-go-v2/service/sts v1.16.3
 +	github.com/aws/aws-sdk-go-v2 v1.15.0
 +	github.com/aws/aws-sdk-go-v2/config v1.14.0
 +	github.com/aws/aws-sdk-go-v2/credentials v1.9.0
 +	github.com/aws/aws-sdk-go-v2/service/iam v1.18.0
 +	github.com/aws/aws-sdk-go-v2/service/sso v1.11.0
 +	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.12.0
 +	github.com/aws/aws-sdk-go-v2/service/sts v1.15.0
 	github.com/google/go-cmp v0.5.7
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
 -	github.com/aws/aws-sdk-go-v2/credentials v1.11.2 // indirect
 -	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 // indirect
 -	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 // indirect
 -	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 // indirect
 -	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 // indirect
 -	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 // indirect
 -	github.com/aws/smithy-go v1.11.2 // indirect
 +	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0 // indirect
 +	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.6 // indirect
 +	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.0 // indirect
 +	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6 // indirect
 +	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0 // indirect
 +	github.com/aws/smithy-go v1.11.1 // indirect
 	github.com/danieljoos/wincred v1.1.2 // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect