Hi, Thanks for this initiative, nice work.

I'm using Okta with AWS federation and saml2aws CLI tool in order to get temporary credentials for AWS CLI.
After setting up the profile with granted and trying to use the browser session functionality, I'm getting the following error message

Attempting to open using active role...

Cannot open a browser session for profile: xxxx because it does not assume a role

I have credentials and aws profile configured correctly, and when running aws sts get-caller-identity I'm getting my identity correctly:

{
    "UserId": "AROXXXXXXXXXXXXX:[email protected]",
    "Account": "123456789123",
    "Arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/Admin/[email protected]"
}

Output from running assume:

§ assume
? Please select the profile you would like to assume: xxxxxx
[xxxxxx](us-east-1) session credentials ready

As mentioned in the docs:

Granted has support for shell auto complete. We currently support fish, with plans to support bash, powershell, and zsh in the future. Please let us know of your interest by opening an issue on GitHub.

I haven't found an open github issue on this request so here's one to let you know that I would be interested in zsh autocompletion for granted!

To be more specific, having the ability to tab and then be able to automatically search you aws config for profiles.

Here's something I use for aws-vault to autocomplete aws profiles in zsh: https://github.com/dannysteenman/zsh-aws-vault/blob/main/_aws_vault_completion

Granted bombs out on initial run on Linux if xdg-settings isn't installed. A usage model where it spits out the URL for the console to STDOUT is normally how I've seen other SSO-driven tools handle this; is there a plan to support that approach?

For some services like Route53, if you specify that to open the console to, it tries to go to the regional version, and that one especially is global. Others I'm aware of are chime, iam and s3, though there are likely more.

https://aws.amazon.com/blogs/developer/assume-aws-iam-roles-with-mfa-using-the-aws-sdk-for-go/

Hi,

Thanks for this initiative, nice work.

I've tried to open the browser (chrome) and I've this issue on below.

Could you please help me about that ?

cat ~/.aws/config

[profile admin-dev]
sso_start_url = https://test.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 1234567890
sso_role_name = AdministratorAccess
region = eu-west-1

assume -c

? Please select the profile you would like to assume: admin-dev
If browser is not opened automatically, please open link:
https://device.sso.eu-west-1.amazonaws.com/?user_code=NNJW-TVSX

Awaiting authentication in the browser...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1024de644]

goroutine 1 [running]:
github.com/99designs/keyring.(*fileKeyring).unlock(0x140003c93b0)
/Users/runner/go/pkg/mod/github.com/99designs/[email protected]/file.go:70 +0xa4
github.com/99designs/keyring.(*fileKeyring).Set(0x140003c93b0, {{0x1400017acc0, 0x20}, {0x14000547b80, 0x527, 0x580}, {0x0, 0x0}, {0x0, 0x0}, ...})
/Users/runner/go/pkg/mod/github.com/99designs/[email protected]/file.go:139 +0x98
github.com/common-fate/granted/pkg/credstore.Store({0x1400017acc0, 0x20}, {0x1027fd200, 0x140003c91a0})
/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/credstore/credstore.go:35 +0xdc
github.com/common-fate/granted/pkg/cfaws.StoreSSOToken({0x1400017acc0, 0x20}, {{0x140001a8000, 0x4e9}, {0xc07e2169a6aefc10, 0x1a3373598536, 0x102ca3240}})
/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/secure_token_storage.go:32 +0x64
github.com/common-fate/granted/pkg/cfaws.(*CFSharedConfig).SSOLogin(0x14000264780, {0x102894c70, 0x14000144008})
/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/sso.go:61 +0x1ac
github.com/common-fate/granted/pkg/cfaws.(*CFSharedConfig).Assume(0x14000264780, {0x102894c70, 0x14000144008})
/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/profiles.go:190 +0x1d8
github.com/common-fate/granted/pkg/assume.AssumeCommand(0x14000143ac0)
/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/assume/assume.go:88 +0x610
github.com/common-fate/granted/pkg/updates.WithUpdateCheck.func1(0x14000143ac0)
/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/updates/updates.go:69 +0xc8
github.com/urfave/cli/v2.(*App).RunContext(0x14000242820, {0x102894c70, 0x14000144008}, {0x14000148000, 0x2, 0x2})
/Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:322 +0x6e8
github.com/urfave/cli/v2.(*App).Run(...)
/Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:224
main.main()
/Users/runner/work/granted-cli-build/granted-cli-build/granted/cmd/assume/main.go:13 +0x60

We should document how Granted is different from, or similar to, other AWS login tools on docs.commonfate.io.

Last Week in AWS's article mentions that Granted works well with aws-sso-utils to set up a bunch of SSO profiles - we should include this in our documentation.

Some other tools to compare Granted with:

• aws-vault
• aws-sso-cli

Based on feedback from Granted users in the slack channel.

I realised that Granted was not using the AWS SDK implementation of credential_process to get the credentials.

https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/[email protected]/processcreds

This leads to some users experiencing issues with using Granted with 3rd party credential processes

When assuming a role with Granted and then running sops the following error is returned:

Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  arn:aws:kms:<REGION>:<ACCOUNT>:key/mrk-<KMS_KEY_ID>: FAILED
    - | Error creating AWS session: SharedConfigErr: only one
      | credential type may be specified per profile: source
      | profile, credential source, credential process, web identity
      | token, or sso

Interestingly, sops works fine when using awsume and aws-sso-utils to access the role. SOPS is written in Go so perhaps we are introducing env variables which are affecting the AWS Go SDK.

The "how to install this" portion of the documentation site has v0.1.3 hardcoded; the GitHub workflow build action should ideally kick that version string up a notch on every release so you're not having new users install an old version.

Some of our users have reported that they use profiles which are defined only in the credentials file, rather than in config.

Currently, to use granted with these profiles they need to be added into the config file.

On linux, I install the "granted" binary as per the docs. I don't understand where the "assume" command comes from

Right now, this works fine for me on my AWS commercial profiles, but fails for my govcloud profiles:

$ assume -c mdr-test-c2-gov

ℹ️  use -s to open a specific service (https://docs.commonfate.io/granted/usage/console)

Opening a console for mdr-test-c2-gov in your browser...

And then the browser gets the classic AWS "The credentials in your login link were invalid. Please contact your administrator.". This is because it's going to signin.aws.amazon.com instead of signin.amazonaws-us-gov.com.

I would imagine similar issues exist for the China partition and the top secret one.

I would imagine you could key off the region to determine which partition you were in.

https://docs.commonfate.io/

The Common Fate logo also links here https://docs.commonfate.io/

I couldn't find the repo for the docs, is that also open source?

From our slack channel
These are the exported variable values when assuming a local IAM user credential, the session token, profile and region are incorrectly assigned.

AWS_ACCESS_KEY_ID=*****
AWS_SECRET_ACCESS_KEY=*********
AWS_SESSION_TOKEN=dev
GRANTED_AWS_ROLE_PROFILE=us-west-2
AWS_REGION=

[profile dev]
region=us-west-2

Raised by @QuinnyPig in #78 - splitting this so we can track this issue separately.

In display-constrained devices (such as a remote SSH connection to a server, where the server is running the Granted binary) Granted users don’t have access to the browser on the same device which is executing Granted.

In this situation, it’s desirable to print the resulting console URL to STDOUT so that users can copy this out of the SSH session and into their host system, which is likely to have a web browser.

The desired experience for this is something like:

granted browser set —browser=stdout
assume -c PROFILE_NAME
# a console URL for PROFILE_NAME is printed in the terminal

From Marco on the Common Fate Community Slack:

I just discovered this software and I’m experimenting with it. I’m having some issues with the browser flow: my default browser is Chrome, but I’d like to use Firefox for the SSO Authentication flow; even if I’ve configured everything correctly (at least I think I do), when I run assume -c myprofile the login flow always opens with Chrome.

.granted/config:

DefaultBrowser = "FIREFOX"
CustomBrowserPath = "/Applications/Firefox.app/Contents/MacOS/firefox"

.aws/config (redacted):

[profile myprofile]
sso_start_url=https://foo.bar/
sso_region=eu-west-1
sso_account_id=123456
sso_role_name=myRole
region=eu-west-1
output=json

Currently the SSO prompt always opens in the default browser, even if Firefox is used for AWS console access.

For some users (like myself) this is preferred, however other users like Marco would prefer to use Firefox for both SSO authentication and console access.

We should allow users to set an SSOBrowserPath in Granted's config file, and open this rather than the default browser if it is set.

DefaultBrowser = "FIREFOX"
CustomBrowserPath = "/Applications/Firefox.app/Contents/MacOS/firefox"
SSOBrowserPath = "/Applications/Firefox.app/Contents/MacOS/firefox"

Running on the latest build on main, running the following steps causes the AWS CLI to return an error:

➜ assume PROFILE
➜ aws s3 ls

Invalid endpoint: https://s3..amazonaws.com

This is because we are exporting AWS_REGION to be an empty string.

Additionally, running

➜ assume -r ap-southeast-2 PROFILE
➜ aws s3 ls

Still causes the same problem.

Workarounds

Manually exporting the AWS_REGION variable after running assume still works.

export AWS_REGION=us-east-1

System details

• MacOS 12.1
• Fish shell

A nice feature to have is the ability to rotate temp session credentials automatically instead of manually triggering the assume command again.

In the docs, you explain which environment variables you export after an AWS role is assumed.

AWS_REGION
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
GRANTED_AWS_ROLE_PROFILE

Can you add AWS_SESSION_EXPIRATION to this list? I'm using the starship prompt and exporting this variable allows you to display how much time you have left before the session expires 👇

~ on  cn-devorg-tst-sso (eu-central-1) [59m55s]
➜

See the explanation of AWS_SESSION_EXPIRATION in the starship docs here: https://starship.rs/config/#aws

Hi!

First up thank you very much for an awesome tool!

It would be extremely nice if it would be possible to somehow keep extensions when opening the AWS console through granted.

I see the reason for it not being directly available is the internals of using a seperate --profile-directory for each profile/region permutation. Perhaps it could be possible to symlink the extensions of these new profiles to the Default profile .config/google-chrome/Default as an opt-in option in granted? Not sure if Chrome works that way, but i would guess you know more about that than me :)

For some reason when I open a console session for one of my chained profiles e.g.

assume --console -s cloudformation example-prd

After 15min the console session expires and I have to open another console session. For some reason, this happens with chained role sessions. This is an example of a config profile where the issue happens:

[profile example-sso]
sso_start_url=https://example.awsapps.com/start
sso_region=eu-west-1
sso_account_id= 012345678901
sso_role_name=example-support
region=eu-west-1

[profile example-prd]
role_arn=arn:aws:iam::012345678902:role/example-administrator
source_profile=example-sso
region=eu-central-1

Let me know if you need extra logs/details.

==> Tapping common-fate/granted
Cloning into '/opt/homebrew/Library/Taps/common-fate/homebrew-granted'...
remote: Enumerating objects: 88, done.
remote: Counting objects: 100% (88/88), done.
remote: Compressing objects: 100% (44/44), done.
remote: Total 88 (delta 22), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (88/88), 11.02 KiB | 2.20 MiB/s, done.
Resolving deltas: 100% (22/22), done.
Error: Invalid formula: /opt/homebrew/Library/Taps/common-fate/homebrew-granted/Formula/granted.rb
formulae require at least a URL
Error: Cannot tap common-fate/granted: invalid syntax in tap!

Homebrew 3.3.16
MacBook Pro 14" 2021 - Apple M1 Pro with macOS Monterey (12.2.1)

Made this it's own issue from #81. We should have a logout command (thinking granted logout) which clears SSO tokens.

Hi,
In this page the command

aws sso configure

should be

aws configure sso

I'm using Granted version 0.1.11 on Windows 10. When I assume a role (not logged into AWS), my browser opens and requests for permissions just fine. However, every time afterwards I have been unable to get a browser window to pop when I assume different roles. The logs indicate that I can switch roles ([Build-Account](us-west-2) session credentials will expire...), but nothing happens. I've tried launching through both Chrome and Edge browsers, and have verified that the paths are set correctly in my settings (granted settings).

If I assume shitposting, granted does what you would expect; sets the relevant environment variables to reflect that session.

Once I'm done with my various shitposting-related tasks, I either have to manually (or via a crappy shell script) unset those variables (lest I inadvertently do some production work in a shitposting environment) or else close the shell.

A better approach would be to have a command that explicitly unsets those environment variables and returns my env to its pristine state. I nominate assume not as the command name.

I've using the linux desktop environment to Ubuntu 20.04.

I use this config profiles on it.

[profile temp-cred]
region = ap-northeast-2
output = json
credential_process = python /home/username/.aws/get-temp-credentials.py --device arn:aws:iam::000000000000:mfa/mydevice --otpkey (MFA_SECRET_KEY) --profile default

[profile myassume]
region=ap-northeast-2
source_profile = temp-cred
role_arn = arn:aws:iam::1111111111111:role/myassume
output = json

get-temp-credentials.py script from this repo

Then me, assume -c myassume it works until 0.1.6 release. But I've run into this message when upgraded to from 0.1.6 release to 0.1.8 releases.

$ assume -c myassume                                                                                                                                                        1 ↵
fork/exec : no such file or directory

Reported via the Common Fate Community Slack:

Granted could not detect an existing installation of Chrome at known installation paths for your system.
If you have already installed this browser, you can specify the path to the executable manually.

After this the CLI is just waiting for input but I can't type anything in, it's just freezed.
I'm using Manjaro i3.
Granted is looking for /usr/bin/google-chrome but my chrome installation exist at /usr/bin/google-chrome-stable
Also, granted looks for /usr/bin/brave-browser while mine is /usr/bin/brave

As a workaround it is possible to symlink Chrome to /usr/bin/google-chrome, but we should detect this case and avoid hanging - ideally prompt the user to enter the path to their browser executable.

granted v0.1.5

To Reproduce

1. Set browser to firefox
2. assume -c profile
3. ctrl + c in the terminal which appears to be free
4. firefox will close

Hey guys,

First of all, thank you for creating this tool! ❤️

My question is very simple, would it be possible to increase the lifetime of the session credential? By parameter it would be awesome!

For those who use the terminal during all day, it is a bit annoying to have to renew it all the time.

session credentials will expire 2022-02-25 08:21:14 +0000 WET

Cheers!

Being able to set (for example) the AWS_PROFILE environment variable rather than having to teach an ecosystem of tools to respect GRANTED_AWS_PROFILE / write a shim that does it for me would be swell!

From user @joe Tavin in Slack:

Running on granted v 0.15 using Firefox
❯ granted browser
Granted is using FIREFOX. To change this run granted browser set.
❯ granted -v
...
Version: 0.1.5
When switching Region in a tab with the same profile, the tab does not update to reflect this
See screenshot

t

Users have reported that configurations such as the below fail with error

process provider error: failed to prepare command: command must not be empty

[profile profile-1]
region=us-east-1
credential_process=/usr/local/bin/gsts --aws-role-arn arn:aws:iam::XYZ:role/XYZ --idp-id XYZ --json --sp-id XYZ --username=XYZ
[profile profile-2]
source_profile = profile-1
role_arn =  arn:aws:iam::XYZ:role/XYZ
output = json
region = eu-west-1

This error looks to be caused by the credential_process assumer implementation attempting to use a credential process for the chained role, rather than fetching credentials for the first and using those to assume the second.

Hi,

first of all, thanks for this great tool, since I jump around between dozens of AWS accounts each day this is really a great addition!

When trying to use a combination of an assume-role chained with an AWS SSO auth, I get an error:

My ~/.aws/config contains this:

[profile jump-account]
sso_start_url = https://REDACTED.awsapps.com/start/#
sso_region = eu-west-1
sso_account_id = FIRST-ACCOUNT-ID
sso_role_name = some-role
region = eu-west-1
output = json

[profile target-account]
source_profile = jump-account
role_arn =  arn:aws:iam::OTHER-ACCOUNT-ID:role/TargetRole
output = json
region = eu-west-1

When I first do an aws sso login --profile jump-account and then run a command like aws s3 ls --profile target-account, everything works.

When I try to do this using assume, I get:

bsh ❯  assume jump-account

[jump-account](eu-west-1) session credentials will expire 2022-03-15 20:29:39 +0100 CET

bsh ❯ assume target-account
operation error STS: AssumeRole, https response error StatusCode: 400, RequestID: 2aa7685d-04ac-406a-a2a7-ee4f48b196db, api error ValidationError: 1 validation error detected: Value '' at 'tokenCode' failed to satisfy constraint: Member must have length greater than or equal to 6

Some things to add:

• the role in the target account (arn:aws:iam::OTHER-ACCOUNT-ID:role/TargetRole) can be assumed by the role setup for AWS SSO, of course
• AWS SSO is setup in the jump-account (FIRST-ACCOUNT-ID)

Is this case supposed to work, or just not supported (yet)?

Please let me know if there is anything I can help you with - apparently, this would resolve the one thing left to fully rely on this nice setup!

Error

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x4430458]

goroutine 1 [running]:
github.com/common-fate/granted/pkg/cfaws.(*uninitCFSharedConfig).init(0x46211c0, 0xc000213078)
        /Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/profiles.go:88 +0x18
github.com/common-fate/granted/pkg/cfaws.(*uninitCFSharedConfig).init(0xc000110690, 0xc000213078)
        /Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/profiles.go:98 +0x8e
github.com/common-fate/granted/pkg/cfaws.GetProfilesFromDefaultSharedConfig({0x47c6130, 0xc00019a010})
        /Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/profiles.go:71 +0x169
github.com/common-fate/granted/pkg/assume.AssumeCommand(0xc0001a7a80)
        /Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/assume/assume.go:28 +0x151
github.com/common-fate/granted/pkg/assume.GetCliApp.func2(0x2)
        /Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/assume/entrypoint.go:39 +0x19
github.com/common-fate/granted/pkg/updates.WithUpdateCheck.func1(0xc0001a7a80)
        /Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/updates/updates.go:69 +0x110
github.com/urfave/cli/v2.(*App).RunContext(0xc0002d44e0, {0x47c6130, 0xc00019a010}, {0xc00019c000, 0x2, 0x2})
        /Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:322 +0x7a8
github.com/urfave/cli/v2.(*App).Run(...)
        /Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:224
main.main()
        /Users/runner/work/granted-cli-build/granted-cli-build/granted/cmd/assume/main.go:14 +0x45

Version (OS as well)

Version: 0.1.5
Darwin xxx 20.6.0 Darwin Kernel Version 20.6.0: Wed Jun 23 00:26:31 PDT 2021; root:xnu-7195.141.2~5/RELEASE_X86_64 x86_64 (Big Sur)

managed to choose browser (Firefox), installed addon, added shell alias, any calling like assume <profile or not> ends up with above.

On MacOS Monterey 12.2.1

Trying to get setup and running, getting this runtime error

❯ assume -c <MY_PROFILE_NAME>

If browser is not opened automatically, please open link:
https://device.sso.<REGION>/?user_code=<CODE>

Awaiting authentication in the browser...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x102716644]

goroutine 1 [running]:
github.com/99designs/keyring.(*fileKeyring).unlock(0x14000523f50)
	/Users/runner/go/pkg/mod/github.com/99designs/[email protected]/file.go:70 +0xa4
github.com/99designs/keyring.(*fileKeyring).Set(0x14000523f50, {{0x14000138510, 0x24}, {0x140000d3080, 0x522, 0x580}, {0x0, 0x0}, {0x0, 0x0}, ...})
	/Users/runner/go/pkg/mod/github.com/99designs/[email protected]/file.go:139 +0x98
github.com/common-fate/granted/pkg/credstore.Store({0x14000138510, 0x24}, {0x102a35200, 0x14000523c20})
	/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/credstore/credstore.go:35 +0xdc
github.com/common-fate/granted/pkg/cfaws.StoreSSOToken({0x14000138510, 0x24}, {{0x140002aa000, 0x4e4}, {0xc07f0821e6770008, 0x1a335582abcd, 0x102edb240}})
	/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/secure_token_storage.go:32 +0x64
github.com/common-fate/granted/pkg/cfaws.(*CFSharedConfig).SSOLogin(0x140001741e0, {0x102accc70, 0x140001aa010})
	/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/sso.go:61 +0x1ac
github.com/common-fate/granted/pkg/cfaws.(*CFSharedConfig).Assume(0x140001741e0, {0x102accc70, 0x140001aa010})
	/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/cfaws/profiles.go:190 +0x1d8
github.com/common-fate/granted/pkg/assume.AssumeCommand(0x140001a9ac0)
	/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/assume/assume.go:88 +0x610
github.com/common-fate/granted/pkg/updates.WithUpdateCheck.func1(0x140001a9ac0)
	/Users/runner/work/granted-cli-build/granted-cli-build/granted/pkg/updates/updates.go:69 +0xc8
github.com/urfave/cli/v2.(*App).RunContext(0x140002b6820, {0x102accc70, 0x140001aa010}, {0x14000192180, 0x3, 0x3})
	/Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:322 +0x6e8
github.com/urfave/cli/v2.(*App).Run(...)
	/Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:224
main.main()
	/Users/runner/work/granted-cli-build/granted-cli-build/granted/cmd/assume/main.go:13 +0x60

Couple of things in my setup I could think of:

1. I was using ssocreds
2. Was logged in and connected in browser
3. Was trying to switch default browser from Brave to Firefox, and despite changing and restarting Terminal (iterm2) did not change and start Firefox rather still opens Brave, although output of granted browser command still shows Firefox...

❯ granted browser
Granted is using FIREFOX. To change this run `granted browser set`.

Things I tried but issue still persists

1. aws sso logout

From the Common Fate Community Slack:

Does assume take a profile argument and then execute a single command given? This would rock for use in shell scripts. for PROFILE in $(cat profile_list.txt); do assume $PROFILE --exec COMMAND_OR_SHELL_SCRIPT; done would be great.

We should add a --exec flag which allows a command to be passed through to be executed as the profile.

Users using custom SAML workflows are running into issues when they have already assumed roles and have credentials.
Granted will always attempt to request new credentials when it should be looking up the cached ones.
#48

Hey all, are there specific instructions for using Granted with FF Dev Edition?

Hello, when i try to assume a role with mfa the following Error occur:
assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

I think its because the SDK doesn’t automatically set the AssumeRoleTokenProvider with a default value. This is because of the risk of halting an application unexpectedly while the token provider waits for a nonexistent user to provide a value due to a configuration change. You must set this value to use MFA roles with the SDK.

On behalf of a slack user.

In Windows powershell, Granted fails to launch the console with either an IAM profile with credentials in the .credentials file or a profile in the .config file which references a source_profile

e.g

config

[profile creds]
region = ap-southeast-2

[profile dev]
region = ap-southeast-2
source_profile = creds

credentials

[creds]
aws_access_key_id=
aws_secret_access_key=

Granted doesn't find the active role when using fish shell using the --active-role or -ar flag, to open a console for the role you are currently in.

To reproduce:

❯ assume PROFILE
❯ assume --active-role
Attempting to open using active role...

? Please select the profile you would like to assume:  [Use arrows to move, type to filter]
> PROFILE_1
   PROFILE_2

Hi team! I am trying the assume -c command and i cam getting this error:

operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded

From slack user Elijah

Running version: v0.1.5
OS: MacOS 12.0.1

Raised by David in the Common Fate Community Slack:

The “assume” command fails on Windows git bash with the error “incorrect function”.

Granted will persistently ask to set a default browser upon setup

We should allow users if they choose to skip setting a default browser

This should then fall back to returning a console url when passing a -c flag

Example of current bad UX

All of the Windows installation links on the getting started page lead to "Page Not Found":

• https://docs.commonfate.io/granted/releases.commonfate.io/granted/v0.0.9/granted_0.0.9_windows_x86_64.zip
• https://docs.commonfate.io/granted/releases.commonfate.io/granted/v0.0.9/granted_0.0.9_windows_arm64.zip
• https://docs.commonfate.io/granted/releases.commonfate.io/granted/v0.0.9/granted_0.0.9_windows_i386.zip

Describe the bug

Even though I am using macOS, I noticed assume would not save SSO tokens into keychain which from the documentation appeared to be the default.

To Reproduce

I forced assume to use the keychain keyring backend via config:

DefaultBrowser = "BRAVE"
CustomBrowserPath = "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser"
LastCheckForUpdates = 4
[Keyring]
Backend = "keychain"
Debug = true

Next I ran an assume with the --verbose flag and observed the keychain was not available as a backend:

❯ assume -c -r us-west-2 --verbose xxxx-staging
DEBUG: starting update check
2022/04/14 15:08:55 [keyring] Considering backends: [keychain]
DEBUG: GetValidCachedToken: opening keyring: Specified keyring backend not available
If browser is not opened automatically, please open link:
https://device.sso.us-east-1.amazonaws.com/?user_code=XXXX-XXXX

Awaiting authentication in the browser...
2022/04/14 15:08:59 [keyring] Considering backends: [keychain]
DEBUG: writing sso token to credentials cache: opening keyring: Specified keyring backend not available

ℹ️  use -s to open a specific service (https://docs.commonfate.io/granted/usage/console)

Opening a console for xxxx-staging in your browser...

Expected behavior

As I am on macOS, I expect assume to save the SSO token in the keychain keyring backend by default.

Actual behavior

assume falls back to the file keyring backend which works BUT forces me to enter a passphrase each time:

❯ assume -c -r us-west-2 --verbose xxxx-staging
DEBUG: starting update check
2022/04/14 15:28:13 [keyring] Considering backends: [pass file]
2022/04/14 15:28:13 [keyring] Failed backend pass: The pass program is not available
? Enter passphrase to unlock "/Users/schisamo/.granted/cred-store"

Version Info

• MacBook Pro (16-inch, 2021) / Apple M1 Pro
• macOS 12.3.1 Monterey
• Assume 0.1.14

On linux, allow assume to use the Chromium browser if installed.

Hey guys,

I would like to try your product cause it looks awesome but I spent a few hours struggling with this weird AWS error. Any ideas what's wrong?

Error:

Some of your credentials are missing. Please contact your administrator.

AWS config (account number changed):

[profile tga]
region = us-west-1
[profile tga-assume]
region = us-west-1
source_profile = tga
role_arn = arn:aws:iam::123321:role/AdministratorRole

AWS credentials (keys changed):

[tga]
aws_access_key_id = ABC
aws_secret_access_key = DEF
[tga-assume]
aws_access_key_id = ABC
aws_secret_access_key = DEF