Support request to AWS:

I'm trying to debug a problem where calls to iam get-user fail with "A client error (InvalidClientTokenId) occurred when calling the GetUser operation: The security token included in the request is invalid". 

The user I am using is `lachlan.donald`, which has `ReadOnly` access. I'm using session token credentials that I get via `aws iam get-session-token`. Note that whilst my account has an MFA, I'm not providing a code.

When I subsequently call `aws iam get-user --user-name lachlan.donald` I get the above error. Other commands, such as `aws ec2 describe-instances` work fine. Any ideas?

Running aws-vault ls is always outputting "No credentials found". I assume this should be listing profiles that I've added into the vault.

we use make a lot at work. It has nice bashcompletion for it's tasks.

Execing it with aws-vault exec <profile> make sure works great! thanks for the plugin!
But it breaks the completion.

I researched and came across _command_offsetin bash_completion.
It is used by sudo to achieve something similar.

Maybe it can inspire you :)

The names given to keychains in ~/Library/Keychains have changed to have the extension .keychain-db rather than .keychain on beta versions of macOS 10.12.

While running aws-vault add for the first time works correctly, subsequent operations (e.g. aws-vault exec) will not find credentials, and will never even request access to the keychain file. The file that was created is ~/Library/Keychains/aws-vault.keychain-db, despite debug output during aws-vault add saying it was opening ~/Library/Keychains/aws-vault.keychain.

I had a poke around and modified keychain.go:44 to open the .keychain-db file instead. This works, but not consistently. aws-vault add now explodes.

To work around the issue, I ended up reverting that change, and symlinked .keychain-db to .keychain:

$ ls -l ~/Library/Keychains/aws-vault*
lrwxr-xr-x  1 dgoodlad  staff     21 20 Aug 14:07 /Users/dgoodlad/Library/Keychains/aws-vault.keychain -> aws-vault.keychain-db
-rw-r--r--  1 dgoodlad  staff  24668 20 Aug 14:50 /Users/dgoodlad/Library/Keychains/aws-vault.keychain-db

I'm not nearly familiar enough with what's going on here to work out the issue quickly, so I'm opening this issue to at least document what I know.

It seems the creating a federated login only works when you have assumed a role.

Looks like @createdbypete added a PR to homebrew, but it was rejected. I've commented.

https://github.com/Homebrew/homebrew-binary/pull/317

Introducing the Instance Metadata server in #26 meant replacing syscall.Exec with exec.Command().Run(); the former replaces the current aws-vault process with the command being executed, the latter runs it as a child process. This introduces lots of complexity and downside;

• The pid of the command being executed is different to the PID that the shell saw launched.
• Signal handling needs to be managed.
• Exit status needs to be captured and passed through.
• The proctitle remains aws-vault rather than that of the command being executed.
  • Go doesn't support reading/writing proctitle without using barely maintained third-party libs.

This isn't a call-to-action issue, just highlighting some of the downsides alongside discussion in #43 etc.

Feature request

Key rotation is one of most awesome features of this tool. Best practice could be made zero-effort if we could enable automatic key rotation for either the entire vault (would work for me), or individual keys.

Easiest implementation would be to rotate a key (or all keys) on first use of aws-vault in any day (for daily rotation which is what Google recommends). Also, if the entire vault is set for key rotation then any new keys could also be rotated when added, thereby ensuring if they had 'leaked' while being sent to the person entering them that the window for compromise is very small.

At the moment I have a process which checks the age of keys in our account and I then have to go and bug our devops ppl. This feature would greatly reduce that.

Also, key rotation is not mentioned in the README.

Using aws-vault 3.7.0

$ aws-vault login home
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x4006cd2]

goroutine 1 [running]:
panic(0x447f2a0, 0xc4200120d0)
	/usr/local/Cellar/go/1.7.5/libexec/src/runtime/panic.go:500 +0x1a1
main.getUserName(0xc420131520, 0x14, 0xc420136690, 0x28, 0x0, 0x0, 0x0, 0x0, 0xc420116a00, 0x47, ...)
	/Users/michael/src/github.com/99designs/aws-vault/login.go:204 +0x202
main.getFederationToken(0xc420131520, 0x14, 0xc420136690, 0x28, 0x0, 0x0, 0x0, 0x0, 0x274a48a78000, 0x0, ...)
	/Users/michael/src/github.com/99designs/aws-vault/login.go:182 +0x364
main.LoginCommand(0xc4200b8870, 0x7fff5fbff4c0, 0x4, 0x476c920, 0xc420113860, 0x0, 0x0, 0x45465b0, 0x0, 0x274a48a78000, ...)
	/Users/michael/src/github.com/99designs/aws-vault/login.go:76 +0x1967
main.configureLoginCommand.func1(0xc42009ce10, 0x402349a, 0x448c7a0)
	/Users/michael/src/github.com/99designs/aws-vault/main.go:181 +0xb5
github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin%2ev2.(*actionMixin).applyActions(0xc4200b6498, 0xc42009ce10, 0x0, 0x0)
	/Users/michael/src/github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2/actions.go:28 +0x58
github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin%2ev2.(*Application).applyActions(0xc4200b8870, 0xc42009ce10, 0x0, 0x0)
	/Users/michael/src/github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2/app.go:554 +0x126
github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin%2ev2.(*Application).execute(0xc4200b8870, 0xc42009ce10, 0xc420013fd0, 0x1, 0x1, 0x0, 0x0, 0x1, 0xc4200e72c0)
	/Users/michael/src/github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2/app.go:390 +0x8f
github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin%2ev2.(*Application).Parse(0xc4200b8870, 0xc42000c160, 0x2, 0x2, 0x1, 0xc42002e180, 0x0, 0x1)
	/Users/michael/src/github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2/app.go:222 +0x202
main.run(0xc42000c160, 0x2, 0x2, 0x4546da8)
	/Users/michael/src/github.com/99designs/aws-vault/main.go:239 +0x9e2
main.main()
	/Users/michael/src/github.com/99designs/aws-vault/main.go:245 +0x72

Added a second access key:

pda@paulbook ~ ⸩ aws-vault add pda
Enter Access Key ID: AKI…PFQ
Enter Secret Access Key:
Added credentials to profile "pda" in vault

aws-vault exec crashes attempting to use it:

pda@paulbook ~ ⸩ aws-vault exec pda -- env
panic: assignment to entry in nil map

goroutine 1 [running]:
main.profileConfig(0x7fff5fbffb2f, 0x3, 0x4f04a60, 0x0, 0x0)
        /Users/pda/code/go/src/github.com/99designs/aws-vault/exec.go:104 +0x2eb
main.ExecCommand(0xc8200848c0, 0xc820084910, 0xc820084960, 0x4575ac0, 0x7fff5fbffb2f, 0x3, 0x7fff5fbffb36, 0x3, 0x0, 0x0, ...)
        /Users/pda/code/go/src/github.com/99designs/aws-vault/exec.go:53 +0x54f
main.main()
        /Users/pda/code/go/src/github.com/99designs/aws-vault/main.go:102 +0x2983

Currently using locally-compiled aws-vault from #30 which is v2.3.1 + small patch.

I'm trying to use your keyring module; I'm importing "github.com/99designs/aws-vault/keyring". However, I get an error when I attempt to install my code's dependencies (which include aws-vault).

$ go get .

# cd /home/mark/go/src/github.com/99designs/aws-vault; git submodule update --init --recursive
fatal: no submodule mapping found in .gitmodules for path 'vendor/github.com/alecthomas/units'
package github.com/99designs/aws-vault/keyring: exit status 128

I noticed that the most recent commit, 09f0ba74, was "Update Vendors". Thinking this might be the issue, I tried checking out the previous commit and re-running the submodule update command. This resulted in the same error.

Happened to notice this when playing around.

I'm not that familiar with Go yet so I'm not sure where the problem is exactly to put in a PR but incase someone else can in the meantime it can be tested simply with the terminal:

$ aws-vault --version > /dev/null
v3.2.0

$ aws-vault --version 2> /dev/null

Also noticed aws-vault --help has an exit status of 1.

Here's a crash from an app using aws-sdk-1.42.0 (~18 months old) and Ruby 2.2.3 (latest) failing to parse http_proxy="127.0.0.1:53486" as a URI.

aws-vault v2.3.2

$ aws-vault exec profilename -- bundle exec ./publish
/Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/uri/rfc3986_parser.rb:66:in `split': bad URI(is not URI?): 127.0.0.1:53486 (URI::InvalidURIError)
        from /Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/uri/rfc3986_parser.rb:72:in `parse'
        from /Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/uri/common.rb:226:in `parse'
        from /Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/uri/generic.rb:1554:in `find_proxy'
        from /Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/net/http.rb:1034:in `proxy_uri'
        from /Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/net/http.rb:1019:in `proxy?'
        from /Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/net/http.rb:869:in `connect'
        from /Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
        from /Users/pda/.rubies/ruby-2.2.3/lib/ruby/2.2.0/net/http.rb:858:in `start'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/credential_providers.rb:399:in `get_credentials'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/credential_providers.rb:51:in `block in set?'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/credential_providers.rb:50:in `synchronize'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/credential_providers.rb:50:in `set?'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/credential_providers.rb:130:in `block in credentials'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/credential_providers.rb:129:in `each'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/credential_providers.rb:129:in `credentials'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/credential_providers.rb:61:in `access_key_id'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:549:in `build_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:491:in `block (3 levels) in client_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/response.rb:175:in `call'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/response.rb:175:in `build_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/response.rb:114:in `initialize'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:203:in `new'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:203:in `new_response'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:490:in `block (2 levels) in client_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:391:in `log_client_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:477:in `block in client_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:373:in `return_or_raise'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/core/client.rb:476:in `client_request'
        from (eval):3:in `put_object'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/s3/s3_object.rb:1752:in `write_with_put_object'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-1.42.0/lib/aws/s3/s3_object.rb:607:in `write'
        from ./publish:23:in `block in <main>'
        from ./publish:16:in `each'
        from ./publish:16:in `<main>'
exit status 1

Note that the error comes out of ruby 2.2.3 stdlib net/http trying to auto-detect the proxy. However, I failed to reproduce it in isolation:

$ http_proxy="127.0.0.1:54179" ruby -r net/http -r uri -e 'puts Net::HTTP.start("example.org", 80) { |h| h.request(Net::HTTP::Get.new(URI("http://example.org/"))) }'
#<Net::HTTPOK:0x007f8334069e88>

Pending keybase/go-keychain#1 it would be great to remove bespoke osx keychain code from aws-vault.

Hi @lox,

Currently, when running aws-vault with exec, it creates a session (for assuming role), which times out after 15 mins. AWS assume role API allows up to 1 hour as the duration of the session.

Is there a way to configure this setting with aws-vault (i.e. env vars, config files, etc)?

~/development/ca/data$ aws-vault --debug exec dev-admin
DEBUG 2016/02/16 14:26:38 Parsing config file /Users/dev/.aws/config
DEBUG 2016/02/16 14:26:38 Looking up keyring for default
DEBUG 2016/02/16 14:26:38 Opening keychain /Users/dev/Library/Keychains/aws-vault.keychain
DEBUG 2016/02/16 14:26:40 Opening keychain /Users/dev/Library/Keychains/aws-vault.keychain
DEBUG 2016/02/16 14:26:43 Using session ***LVXQ, expires in 3h41m40.575404173s
DEBUG 2016/02/16 14:26:43 Assuming role arn:aws:iam::xxxxxxxxxxxxxx:role/xxxxxxxxxxxx
DEBUG 2016/02/16 14:26:45 Using role ***_XSZA, _expires in 14m59.24446076s
DEBUG 2016/02/16 14:26:45 Parsing config file /Users/dev/.aws/config
DEBUG 2016/02/16 14:26:45 Writing temporary credentials to ENV
cmd has been run. exit

Some background information, we use aws-vault to create sessions on local machine to run aws command. some of the commands take more than 15 mins to complete. (i.e. such as baking AMIs). The session timed out after 15 mins, which leavings everything hanging.

Because I am shit at typing, I use the AWS CLI command completion a lot, which I miss with aws-vault. I see an issue on bash completion which looks like it has been fixed. Is there a workaround I am not seeing to get the AWS CLI command completion working?

This is probably outside the scope of aws-vault but I would like to store other data along side the aws profile. In my use case this would be an auth token to another service related to the aws profile. I only want this token exposed once credentials have been successfully created. What are your thoughts?

Contrary to the README, the latest release's x86_64 binary isn't signed.

$ curl -sLo aws-vault-3.4.0 https://github.com/99designs/aws-vault/releases/download/v3.4.0/aws-vault-darwin-x86_64
$ codesign -dvvv aws-vault-3.4.0
aws-vault-3.4.0: code object is not signed at all

While 3.3.0 and 3.2.0 are signed:

$ curl -sLo aws-vault-3.3.0 https://github.com/99designs/aws-vault/releases/download/v3.3.0/aws-vault-darwin-x86_64
$ codesign -dvvv aws-vault-3.3.0
...
Authority=3rd Party Mac Developer Application: 99designs Inc (NRM9HVJ62Z)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
...

Reported by a coworker:

C:\Users\example\Downloads>aws-vault-windows-386.exe --debug exec example-read-only
2017/06/06 03:59:43 Parsing config file C:\Users\example\.aws\config
2017/06/06 03:59:43 Looking up keyring for example
Enter passphrase to unlock C:\Users\example\.awsvault\keys:
2017/06/06 03:59:47 Session not found in keyring
Enter token for arn:aws:iam::123456789012:mfa/example: 2017/06/06 03:59:47 Getting new session token for profile example
aws-vault: error: Failed to get credentials: InvalidParameter: 1 validation error(s) found.
- minimum field size of 6, GetSessionTokenInput.TokenCode.

Note that the “Enter token for …” prompt appears, but does not wait for input, instead proceeding with an empty MFA token.

Looking at this code it seems p.MfaPrompt() must be returning a token and no error. I'm confident thatp.MfaPrompt is a reference to prompt.Terminal(). I think text, err := reader.ReadString('\n') is returning "", nil or "\n", nil despite no user input. I was considering looping until a non-empty string was read, but that might be obnoxious (e.g. it'd break “enter blank string for default”). Or, flushing stdin prior to prompting for input, but I don't know if there's a portable way to do that?

I don't have a Windows machine to test this on. Perhaps nobody has ever used aws-vault with MFA in Windows?

Edit: windows \r\n newlines are an obvious suspect, but the ReadString('\n') combined with TrimSpace() should handle that?

I've been trying to add --session-duration flag to aws-vault login, but hit a snag where adding the SessionDuration parameter to the federated login causes the following error:

message Invalid credentials parameter
description The request sent by the client was syntactically incorrect.

It's exactly as described a few days ago by somebody else, so perhaps a recent problem with AWS API:
https://forums.aws.amazon.com/thread.jspa?threadID=236788

The documentation at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html suggests it should be possible to to set SessionDuration to up to 12 hours, regardless of the duration of the assumed role token being used to get the login token.

Below is my WIP, run out of time, and not ready to PR it without seeing it working against the API. Note also I based it on the older v3.4.0 config structure because master @ 69bf23b is broken by #74

diff --git a/login.go b/login.go
index 033210b..57e239a 100644
--- a/login.go
+++ b/login.go
@@ -7,6 +7,8 @@ import (
    "log"
    "net/http"
    "net/url"
+   "strconv"
+   "time"

    "github.com/99designs/aws-vault/keyring"
    "github.com/99designs/aws-vault/prompt"
@@ -16,11 +18,12 @@ import (
 )

 type LoginCommandInput struct {
-   Profile   string
-   Keyring   keyring.Keyring
-   MfaToken  string
-   MfaPrompt prompt.PromptFunc
-   UseStdout bool
+   Profile         string
+   Keyring         keyring.Keyring
+   MfaToken        string
+   MfaPrompt       prompt.PromptFunc
+   UseStdout       bool
+   SessionDuration time.Duration
 }

 func LoginCommand(ui Ui, input LoginCommandInput) {
@@ -59,14 +62,23 @@ func LoginCommand(ui Ui, input LoginCommandInput) {

    q := req.URL.Query()
    q.Add("Action", "getSigninToken")
+   if input.SessionDuration != 0 {
+       q.Add("SessionDuration", strconv.Itoa(int(input.SessionDuration.Seconds())))
+   }
    q.Add("Session", string(jsonBytes))
    req.URL.RawQuery = q.Encode()

+   ui.Debug.Printf("GET %s\n", req.URL)
+
    resp, err := http.DefaultClient.Do(req)
    if err != nil {
        ui.Error.Fatal(err)
    }

+   if contentType := resp.Header.Get("Content-Type"); contentType != "application/json" {
+       ui.Error.Println(fmt.Sprintf("expected application/json, got '%s'", contentType))
+   }
+
    defer resp.Body.Close()
    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
@@ -76,6 +88,7 @@ func LoginCommand(ui Ui, input LoginCommandInput) {
    var respParsed map[string]string

    if err = json.Unmarshal([]byte(body), &respParsed); err != nil {
+       ui.Error.Println("error parsing JSON:", string(body))
        ui.Error.Fatal(err)
    }

diff --git a/main.go b/main.go
index 4b7faa5..c0c1100 100644
--- a/main.go
+++ b/main.go
@@ -59,6 +59,7 @@ func main() {
        loginProfile     = login.Arg("profile", "Name of the profile").Required().String()
        loginMfaToken    = login.Flag("mfa-token", "The mfa token to use").Short('t').String()
        loginStdout      = login.Flag("stdout", "Print login URL to stdout instead of opening in default browser").Short('s').Bool()
+       loginDuration    = login.Flag("duration", "Duration that the credentials for the console session are valid").Duration()
        server           = kingpin.Command("server", "Run an ec2 instance role server locally")
    )

@@ -128,11 +129,12 @@ func main() {

    case login.FullCommand():
        LoginCommand(ui, LoginCommandInput{
-           Profile:   *loginProfile,
-           Keyring:   keyring,
-           MfaToken:  *loginMfaToken,
-           MfaPrompt: prompt.Method(*promptDriver),
-           UseStdout: *loginStdout,
+           Profile:         *loginProfile,
+           Keyring:         keyring,
+           MfaToken:        *loginMfaToken,
+           MfaPrompt:       prompt.Method(*promptDriver),
+           UseStdout:       *loginStdout,
+           SessionDuration: *loginDuration,
        })

    case server.FullCommand():

/cc @lox @mtibben

Hey actually got it running on linux just fine.. but now we have one issue...
Can we add an option to input from CLI the password to unencrypt the ~/awsvault/keys/${profile_name}

like:

-m, --mfa-token=MFA-TOKEN

something like:

-p, --password=password to unencrypt credentials

this is so in our bash script we can ask for it.

An error occurred (InvalidRequest) when calling the PutObject operation: You are attempting to operate on a bucket in a region that requires Signature Version 4. You can fix this issue by explicitly providing the correct region location using the --region argument, the AWS_DEFAULT_REGION environment variable, or the region variable in the AWS CLI configuration file. You can get the bucket's location by running "aws s3api get-bucket-location --bucket BUCKET".

Dunno if this counts as a Feature Request or a Bug. Guess it depends on your POV. For my day-to-day use this is a "nice-to-have" but I can see it being a deal breaker for other users.

Hi,
I use 1Password to store secrets. Unfortunately Mac's Keychain password generator doesn't let you copy/paste passwords, so I just set a 30-character random password for the keychain and didn't manage to copy it properly into 1Password.

I'm now locked out of my aws-vault. This is fine - I don't need the credentials that are in it, but I'm trying to delete it ("aws-vault remove stage") and readd the profile (aws-vault add stage), and every time I'm getting prompted for my aws-vault Keychain password, which I don't have.

How can I blow away everything aws-vault and Keychain related and start over?

The cloudfront command of the aws CLI requires that you explicitly enable it by setting this in your aws config file:

[preview]
cloudfront = true

In the forked environment of aws-vault exec, AWS_CONFIG_FILE gets set to /dev/null by https://github.com/99designs/aws-vault/blob/master/exec.go#L89 (this behavior was introduced in cb5710d). With that, the aws tool can't see the configuration enabling the cloudfront preview.

The hack workaround was to spawn a shell and reset that env var, but that's not exactly ideal 😄

What's the reason for 💀 AWS_CONFIG_FILE, anyway? What kinds of values in there were you trying to avoid, @lox ?

Ruby's aws-sdk 1.66.0 (the latest v1 release) fails to upload to S3 under aws-vault.

As shown in #33, the earlier v1.42.0 succeeds at the same operation, after an unrelated proxy parsing issue was fixed.

$ aws-vault --debug exec profilename -- bundle exec ./publish
DEBUG 2015/10/12 14:51:20 Parsing config file /Users/pda/.aws/config
DEBUG 2015/10/12 14:51:20 Looking up keyring for 99designs
DEBUG 2015/10/12 14:51:20 Opening keychain /Users/pda/Library/Keychains/aws-vault.keychain
DEBUG 2015/10/12 14:51:21 Opening keychain /Users/pda/Library/Keychains/aws-vault.keychain
DEBUG 2015/10/12 14:51:21 Session is expired
DEBUG 2015/10/12 14:51:21 Getting new session token for profile contests
DEBUG 2015/10/12 14:51:21 Writing session for contests to keyring
DEBUG 2015/10/12 14:51:21 Opening keychain /Users/pda/Library/Keychains/aws-vault.keychain
DEBUG 2015/10/12 14:51:21 Adding service="aws-vault", account="contests session" to osx keychain /Users/pda/Library/Keychains/aws-vault.keychain
DEBUG 2015/10/12 14:51:21 Opening keychain /Users/pda/Library/Keychains/aws-vault.keychain
DEBUG 2015/10/12 14:51:21 Removing keychain item service="aws-vault", account="contests session" from osx keychain "/Users/pda/Library/Keychains/aws-vault.keychain"
DEBUG 2015/10/12 14:51:21 Using session, expires in 3h59m59.047780732s
DEBUG 2015/10/12 14:51:21 Assuming role arn:aws:iam::068566200760:role/ReadOnly, expires in 15m0s
DEBUG 2015/10/12 14:51:22 Role token expires in 14m59.945270573s
DEBUG 2015/10/12 14:51:22 Parsing config file /Users/pda/.aws/config
DEBUG 2015/10/12 14:51:22 Metadata server listening on 127.0.0.1:54769
project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/credential_providers.rb:140:in `credentials':  (AWS::Errors::MissingCredentialsError)
Missing Credentials.

Unable to find AWS credentials.  You can configure your AWS credentials
a few different ways:

* Call AWS.config with :access_key_id and :secret_access_key

* Export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to ENV

* On EC2 you can run instances with an IAM instance profile and credentials
  will be auto loaded from the instance metadata service on those
  instances.

* Call AWS.config with :credential_provider.  A credential provider should
  either include AWS::Core::CredentialProviders::Provider or respond to
  the same public methods.

= Ruby on Rails

In a Ruby on Rails application you may also specify your credentials in
the following ways:

* Via a config initializer script using any of the methods mentioned above
  (e.g. RAILS_ROOT/config/initializers/aws-sdk.rb).

* Via a yaml configuration file located at RAILS_ROOT/config/aws.yml.
  This file should be formated like the default RAILS_ROOT/config/database.yml
  file.

        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/credential_providers.rb:62:in `access_key_id'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:549:in `build_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:491:in `block (3 levels) in client_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/response.rb:175:in `call'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/response.rb:175:in `build_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/response.rb:114:in `initialize'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:203:in `new'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:203:in `new_response'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:490:in `block (2 levels) in client_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:391:in `log_client_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:477:in `block in client_request'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:373:in `return_or_raise'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/core/client.rb:476:in `client_request'
        from (eval):3:in `put_object'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/s3/s3_object.rb:1765:in `write_with_put_object'
        from project/vendor/bundle/ruby/2.2.0/gems/aws-sdk-v1-1.66.0/lib/aws/s3/s3_object.rb:611:in `write'
        from ./publish:23:in `block in <main>'
        from ./publish:16:in `each'
        from ./publish:16:in `<main>'
exit status 1

If I run aws-vault list, I see several open sessions. But I'm not sure where these sessions are being loaded from.

The maximum expiry on assume-session credentials is unfortunately 60 minutes (http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html). What this means is that a long running process (for instance a complicated packer build) will end up with expired credentials.

Because aws-vault gets credentials to the child process as environmental variables, there aren't any mechanisms to refresh these. The various SDK's and aws-cli refresh these internally.

I'm currently investigating different options, none so far which are a perfect fit.

Interested in thoughts. @joho @dgoodlad @pda @mtibben

README.md should briefly show how to install on Windows. I think actual usage on Windows is roughly covered by USAGE.md (i.e. it's the same as on unixish systems). I'd PR these install instructions instead of opening an issue, but I have no idea how to install aws-vault on Windows ;)

(Side-note: #123 will lead to Windows releases with .exe file extension, making installation a little more obvious, I think. But people may still be expecting it's an installer, not the program itself.)

When using aws-vault exec, if AWS_* env vars have already defined, aws-vault does not replace them. Instead it appends environment variables which leads to undefined behaviour.

aws-vault should replace any environment variable that it needs to define, rather than appending

I'd like to access the AWS vault from another Go program. It would be nice if there was an easy example showing how to do this.

Some SDKs don't support http_proxy for Instance Metadata, which means that they can't get credentials from aws-vault, as it exposes the server instance via http_proxy.

The impact of this issue is that some tools just aren't able to get credentials, like in #40.

(Side note: some SDKs have very short timeouts, probably a different issue)

So whilst there is the --write-env that provides a band-aid, it's hard to imagine how to provide a solution that would work universally. Some options I'm considering are:

1. Change the default back to writing out environment vars and allow opt-in to the metadata approach
2. Provide a small daemon that would actually bind to 169.254.169.254 and forward to the correct exec server via magic. :'(
3. ???

Problem

When entering access credentials, aws-vault exits with the error message "The handle is invalid"

C:\Users\shorty>aws-vault add test
Enter Access Key ID: AKIAAAAAAAAAAAAAAAAAAAAA
Enter Secret Access Key: zzzzzzzzzzzzzzzzzzzzzzz
Enter passphrase to unlock C:\Users\shorty\.awsvault\keys: aws-vault: error: The handle is invalid.

Expected Result

aws-vault accepts password input and exists successfully.

Environment Details

OS: Windows 10 x64 build 15019
Go version: 1.7.3
Built from tag v3.7.0
Using standard Windows Command prompt

Periodically, after waking my laptop up, I get this error when trying to spawn a new shell with a server in the background:

aws-vault exec -s behold-the-llama
aws-vault: error: &net.OpError{Op:"listen", Net:"tcp", Source:net.Addr(nil), Addr:(*net.TCPAddr)(0xc420423110), Err:(*os.SyscallError)(0xc42043d840)}

Tis a strange error, I suspect because there is already a server process running. This error should be clearer, and this should be handled better.

sometimes we want to work in a certain environment f.i. staging
we run the 'aws-vault exec staging -- bash'
we use the AWS-VAULT var to show it into our prompt
it would be nice to have a way to update the credentials while in this subshell

I've a few profiles already setup
they have the same key from an IAM account, and then assume role to switch to another aws account / role

I'm now adding a new profile. But since I no longer have the key, I have to issue a new one and readd it to all existing profiles.

Is there a way i can just have a base profile with the keys, and then dependant profiles that assume roles?

#~/.aws/config

[profile default]
region = eu-west-1

[profile iam]
mfa_serial = arn:aws:iam::XXX:mfa/F
region = eu-west-1

[profile dev]
mfa_serial = arn:aws:iam::XXX:mfa/F
role_arn = arn:aws:iam::XXXXX:role/crossaccount-role
region = eu-west-1

[profile prod]
mfa_serial = arn:aws:iam::XXX:mfa/F
role_arn = arn:aws:iam::XXXX:role/crossaccount-role
region = eu-west-1

There are some workflows which use command-line tools such as oath-toolkit for generating MFA tokens.

It would be handy to be able to pass the MFA token value into the aws-vault call as a flag, which would make it easy to integrate. Something like this:

$ aws-vault exec --mfa-token=123456 admin -- aws ...

I'm not familiar with Golang but will try to create a PR for this!

It would be nice to have a force new session option. We need a guaranteed period of time where the session is valid. Currently we set the session length larger than desired and set the --debug flag so we can watch for session endings.

Or put another way. No session caching.

Before this gains too much traction it's good to pre-emptively think about what information you'll need from users creating issue to ensure it's actionable.

Some examples of good contributing documents to fork:

https://github.com/h5bp/html5-boilerplate/blob/master/CONTRIBUTING.md
https://github.com/facebook/react/blob/master/CONTRIBUTING.md

It appears my access credentials got lost from the key chain after a restart. My profile appears in aws-vault but I get the message "No credentials found for profile "development"" when trying to use it. Any idea what has happened?

I just tried to run a command with aws-vault exec and pipe the output, like:

aws-vault exec profile -- ./ec2.py --refresh-cache |less

My profile required MFA, and the prompt was printed to stdout, so this didn't work the way I hoped.

It might be better to print prompts to stderr instead of stdout to avoid problems with stdout redirection.

Previously, aws-vault login <profile> would request the MFA token once, and subsequent calls within a reasonable time period would not need it. Now (v3.5.0-31-g0acf41f) it requests them every time.

I'm guessing this is a side-effect of #92 so it's perhaps a good trade-off for getting longer AWS console sessions. Figured I'd open an issue in case it's considered a regression or something that can/should be fixed.

$ aws-vault --debug login --stdout PROFILE
2016/09/28 11:38:00 Parsing config file /Users/pda/.aws/config
2016/09/28 11:38:00 Looking up keyring for redacted
2016/09/28 11:38:00 Opening keychain /Users/pda/Library/Keychains/aws-vault.keychain
Enter token for arn:aws:iam::redacted:mfa/redacted: redacted
2016/09/28 11:38:09 Assuming role arn:aws:iam::redacted:role/redacted with iam credentials
2016/09/28 11:38:10 Using role ****************redacted, expires in 14m59.605818512s
2016/09/28 11:38:10 Creating federation login token, expires in 12h0m0s
https://signin.aws.amazon.com/federation?Action=login&Issuer=aws-vault&Destination=redacted...

I see travis files and some ci scripts, but no status on merge requests? @vektah?

This is probably a wacko edgecase, but I'm not sure where to go with this. Docker image, ubuntu14.04, and aws-vault v3.5.0 package added to it:

# aws-vault --backend=file add foo
Enter Access Key ID: 123
Enter Secret Access Key: 456
user: Current not implemented on linux/amd64

Support for Linux users, whether command-line or desktop environment users.

Todo:

• Implement KWallet4 keyring backend
• Implement KWallet5 keyring backend
• Implement gpg-agent backend
• Implement encrypted file backend
• Release process needs to build linux binaries

In an attempt to get AWS command completion workarounds (previous issue), I was trying to get the server mode going. I haveaws-vault exec profile —server which drops me into a prompt, from where I can get the metadata with curl localhost:9099. But aws commands fail with credential validation. I have MFA enables for the profile. Is that a limitation of the tool, or am I missing something here?

3.5.0 isn't working on Sierra for me. I suspect this PR broke things #88 since I've build 1c5c5f2 locally and that works fine.

Steps taken (after removing the old aws-vault.keychain keychain file):

aws-vault add my-profile asks for a new password for the vault, and appears to work fine. It creates aws-vault.keychain-db (not aws-vault.keychain like the log output indicates):

❯ aws-vault add my-profile
Enter Access Key ID: [snip]
Enter Secret Access Key: [snip]
2016/09/26 14:11:34 Opening keychain /Users/steve/Library/Keychains/aws-vault.keychain
2016/09/26 14:11:34 Creating keychain /Users/steve/Library/Keychains/aws-vault.keychain (prompt true)
2016/09/26 14:11:42 Adding service="aws-vault", account="my-profile" to osx keychain /Users/steve/Library/Keychains/aws-vault.keychain
Added credentials to profile "my-profile" in vault
2016/09/26 14:11:42 Parsing config file /Users/steve/.aws/config
2016/09/26 14:11:42 Opening keychain /Users/steve/Library/Keychains/aws-vault.keychain

Then trying to use it fails. It doesn't ask for my vault password at this stage:

❯ aws-vault exec a-profile bash
2016/09/26 14:11:48 Parsing config file /Users/steve/.aws/config
2016/09/26 14:11:48 Looking up keyring for my-profile
2016/09/26 14:11:48 Opening keychain /Users/steve/Library/Keychains/aws-vault.keychain
2016/09/26 14:11:48 Error from keyring The user name or passphrase you entered is not correct.
No credentials found for profile "a-profile"

@dgoodlad can't commit.

I'm attempting to aws-vault rotate <profile> where profile is an IAM user with AdministratorAccess policy attached, and I'm seeing something like #15:

$ aws-vault rotate pda
Enter passphrase to unlock /home/pda/.awsvault/keys:
Using old credentials to create a new access key
aws-vault: error: InvalidClientTokenId: The security token included in the request is invalid
        status code: 403, request id: ...

Using a v3.7.1-23-g8c008d3 build of aws-vault.

Same error for any aws iam ... operation, but all other AWS services are working;

$ aws-vault exec pda -- aws iam list-access-keys
Enter passphrase to unlock /home/pda/.awsvault/keys:
An error occurred (InvalidClientTokenId) when calling the ListAccessKeys operation: The security token included in the request is invalid

Is this expected? Is there an IAM setting/policy somewhere that needs to be changed? Or does rotation only work for non-IAM root account credentials? Should we be using the stored access key rather than a session token for the rotate command?

I've used aws-vault rotate before on work AWS accounts, but never with this personal AWS account.

As #129 pointed out, there's no mention of aws-vault rotate in the README etc; I'm happy to add that if I can figure out how to use it :)

Currently aws-vault list will show all keys in the aws-vault keychain. This includes sessions.

I've been thinking of breaking out: aws-vault list-profiles, aws-vault list-sessions and then have aws-vault list show only the credentials that are stored. The alternative would be to have aws-vault list have a --profiles and --session flag.

Feels?