Merge pull request #1150 from 99designs/login-with-master-creds

mtibben · web-flow · commit f22295c33123 · 2023-02-21T20:05:39.000+11:00
Allow login with master creds in environment
diff --git a/USAGE.md b/USAGE.md
@@ -331,11 +331,12 @@ You can use the `aws-vault login` command to open a browser window and login to
 $ aws-vault login work
 ```
 
-If you have temporary STS credentials already available in your environment, you can have aws-vault use these credentials to sign you in.
-This is useful when you had to use something else than aws-vault to retrieve temporary credentials:
+If you have credentials already available in your environment, aws-vault will use these credentials to sign you in to the AWS console.
 
 ```shell
-# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN must be set in your environment prior to running the below
+$ export AWS_ACCESS_KEY_ID=%%%
+$ export AWS_SECRET_ACCESS_KEY=%%%
+$ export AWS_SESSION_TOKEN=%%%
 $ aws-vault login
 ```
 
diff --git a/cli/login.go b/cli/login.go
@@ -15,6 +15,8 @@ import (
 	"github.com/99designs/keyring"
 	"github.com/alecthomas/kingpin"
 	"github.com/aws/aws-sdk-go-v2/aws"
+	awsconfig "github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/skratchdot/open-golang/open"
 )
 
@@ -95,7 +97,17 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 
 	if input.ProfileName == "" {
 		// When no profile is specified, source credentials from the environment
-		credsProvider = vault.NewEnvironmentCredentialsProvider()
+		configFromEnv, err := awsconfig.NewEnvConfig()
+		if err != nil {
+			return fmt.Errorf("unable to authenticate to AWS through your environment variables: %w", err)
+		}
+		credsProvider = credentials.StaticCredentialsProvider{Value: configFromEnv.Credentials}
+		if configFromEnv.Credentials.SessionToken == "" {
+			credsProvider, err = vault.NewFederationTokenProvider(context.TODO(), credsProvider, config)
+			if err != nil {
+				return err
+			}
+		}
 	} else {
 		// Use a profile from the AWS config file
 		ckr := &vault.CredentialKeyring{Keyring: keyring}
diff --git a/go.mod b/go.mod
@@ -7,6 +7,7 @@ require (
 	github.com/alecthomas/kingpin v0.0.0-20200323085623-b6657d9477a6
 	github.com/aws/aws-sdk-go-v2 v1.17.4
 	github.com/aws/aws-sdk-go-v2/config v1.18.13
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.13
 	github.com/aws/aws-sdk-go-v2/service/iam v1.19.2
 	github.com/aws/aws-sdk-go-v2/service/sso v1.12.2
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.2
@@ -22,7 +23,6 @@ require (
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.13 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect
diff --git a/vault/environmentvariablescredentialsprovider.go b/vault/environmentvariablescredentialsprovider.go
diff --git a/vault/vault.go b/vault/vault.go
@@ -274,9 +274,13 @@ func NewFederationTokenCredentialsProvider(ctx context.Context, profileName stri
 	if err != nil {
 		return nil, err
 	}
-
 	masterCreds := NewMasterCredentialsProvider(k, credentialsName)
-	cfg := NewAwsConfigWithCredsProvider(masterCreds, config.Region, config.STSRegionalEndpoints)
+
+	return NewFederationTokenProvider(ctx, masterCreds, config)
+}
+
+func NewFederationTokenProvider(ctx context.Context, credsProvider aws.CredentialsProvider, config *Config) (*FederationTokenProvider, error) {
+	cfg := NewAwsConfigWithCredsProvider(credsProvider, config.Region, config.STSRegionalEndpoints)
 
 	currentUsername, err := GetUsernameFromSession(ctx, cfg)
 	if err != nil {
@@ -291,10 +295,6 @@ func NewFederationTokenCredentialsProvider(ctx context.Context, profileName stri
 	}, nil
 }
 
-func NewEnvironmentCredentialsProvider() aws.CredentialsProvider {
-	return &EnvironmentVariablesCredentialsProvider{}
-}
-
 func FindMasterCredentialsNameFor(profileName string, keyring *CredentialKeyring, config *Config) (string, error) {
 	hasMasterCreds, err := keyring.Has(profileName)
 	if err != nil {

-Original file line number
+Diff line change
 	github.com/alecthomas/kingpin v0.0.0-20200323085623-b6657d9477a6
 	github.com/aws/aws-sdk-go-v2 v1.17.4
 	github.com/aws/aws-sdk-go-v2/config v1.18.13
 +	github.com/aws/aws-sdk-go-v2/credentials v1.13.13
 	github.com/aws/aws-sdk-go-v2/service/iam v1.19.2
 	github.com/aws/aws-sdk-go-v2/service/sso v1.12.2
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.2
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
 -	github.com/aws/aws-sdk-go-v2/credentials v1.13.13 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect