login: Allow non-temporary credentials from the environment #886
Conversation
christophetd
changed the title
christophetd
force-pushed
the
login-with-environment-variables
branch
2 times, most recently
from
e20d1e5 to
4786527
Compare
This sounds like the correct behaviour to me. aws-vault tries to be predictable. If the credentials in the environment aren't able to be used, then isn't that a user error that should display an error message? "Magic" behaviour I typically try to stay away from |
|
(but open to being convinced differently) |
|
I see it as:
So I see no reason to change this behavior if credentials are sourced from the environment. We aren't changing the way To make it more graphical, this is the current behavior: flowchart TB
A[aws-vault login] --> B{Profile name specified?}
B -->|Yes| C[Retrieve credentials from the keychain]
C --> D{Temporary credentials?}
D -->|No|F[Call sts:GetFederationToken to retrieve temporary credentials]
F --> E
D -->|Yes|E[Generate magic sign-in link using temporary credentials]
B -->|No| M[Read credentials from the environment]
M --> N{Temporary credentials?}
N -->|No|O[Error]
N -->|Yes|E
This PR changes the behavior so it becomes the same no matter whether credentials are sourced from the keychain or from the environment: flowchart TB
A[aws-vault login] --> B{Profile name specified?}
B -->|Yes| C[Retrieve credentials from the keychain]
B -->|No| M[Read credentials from the environment]
C --> D{Temporary credentials?}
M --> D
D -->|No|F[Call sts:GetFederationToken to retrieve temporary credentials]
F --> E
D -->|Yes|E[Generate magic sign-in link using temporary credentials]
|
christophetd
force-pushed
the
login-with-environment-variables
branch
2 times, most recently
from
869aa34 to
7847b9e
Compare
|
@mtibben What do you think of the above? The argument here is to make sure the behavior of |
|
@mtibben Any thoughts? I heard back from folks that this is the behavior they would expect |
|
If |
|
Note that aws-login is already generating temporary credentials automatically. The relevant existing parameters are: This PR is simply about making sure these are also generated when sourcing credentials from the environment rather than from the keychain. |
|
Fair enough, that's legit then! |
|
👋🏼 @mtibben Any feedback on the above! Looking forward to get this merged! |
christophetd
force-pushed
the
login-with-environment-variables
branch
from
7847b9e to
0d2c787
Compare
|
Now rebased on latest master, waiting to be merged. |
christophetd
force-pushed
the
login-with-environment-variables
branch
from
9f14dfb to
716009b
Compare
|
Rebased on latest |
christophetd
force-pushed
the
login-with-environment-variables
branch
from
716009b to
7de14f1
Compare
christophetd
force-pushed
the
login-with-environment-variables
branch
from
7de14f1 to
cdb9e3e
Compare
|
|
||
| return creds, nil | ||
| } | ||
|
|
There was a problem hiding this comment.
The logic here is not particularly clear to me.
Previously above we had a very clear section of code
if input.ProfileName == "" {
// When no profile is specified, source credentials from the environment
credsProvider = vault.NewEnvironmentCredentialsProvider()
} else {
// Use a profile from the AWS config file
ckr := &vault.CredentialKeyring{Keyring: keyring}
if config.HasRole() || config.HasSSOStartURL() {
// If AssumeRole or sso.GetRoleCredentials isn't used, GetFederationToken has to be used for IAM credentials
credsProvider, err = vault.NewTempCredentialsProvider(config, ckr)
} else {
credsProvider, err = vault.NewFederationTokenCredentialsProvider(input.ProfileName, ckr, config)
}
if err != nil {
return fmt.Errorf("profile %s: %w", input.ProfileName, err)
}
}This retrieveTemporaryCredsFromEnvironment function makes things less understandable by separating out a new codepath and generating federated tokens separately from this. So we end up with functions at different levels of abstraction
Is it possible for the main logic around this to stay in one place?
There was a problem hiding this comment.
Let me see what I can do!
The actual code path does not look like the diagram you posted |
|
If
If
So yes, it looks like the code path does have the logic I was pointing out above, unless I missed something? |
…rate a sign-in link The way AWS works is that you need a temporary token for it to work. Otherwise, it will show an "invalid credentials" message in the browser.
…n the environment
christophetd
force-pushed
the
login-with-environment-variables
branch
from
cdb9e3e to
bb837c8
Compare
|
Hey @christophetd, does #1150 work for you to resolve this issue? |
|
closing this PR as it's being addressed by #1150 |
f887580 fixed a bug introduced in 67d1aea that causes the AWS console to show "Invalid credentials" when running
aws-vault loginand only non-temporary credentials are available5798fba allows to use
aws-vault loginwhen credentials are in the environment, no matter their typests:GetFederationTokenis used to retrieve temporary credentials, then generate a sign-in linkThis has the nice consequence of being able to run
aws-vault loginat any time, no matter which type of credentials is available in your current shell