Bug: region gets reset about granted HOT 8 OPEN

[profile AD/Foo/AdministratorAccess]
granted_sso_start_url      = https://abc.awsapps.com/start
granted_sso_region         = ca-central-1
granted_sso_account_id     = 1234
granted_sso_role_name      = AdministratorAccess
common_fate_generated_from = aws-sso
credential_process         = granted credential-process --profile AD/Foo/AdministratorAccess

from granted.

Tested different versions, and this issue starts happening on v0.19.0.

from granted.

@moltar Could you also please send an example of a profile from ~/.aws/config that has this issue? Feel free to remove account ID and other sensitive data

from granted.

@moltar I'm having a hard time replicating the error. Can you please run env | grep AWS and check if the AWS_REGION is set correctly? or share the behavior you are seeing. Also, do you have the same issue with v0.19.1, this might have fixed your issue

from granted.

Can you please run env | grep AWS and check if the AWS_REGION is set correctly?

That's the thing - any command will reset the region, so running env will do it too.

Also, do you have the same issue with v0.19.1

Yes, happens on that version too.

from granted.

@moltar By any chance do you have automatic reassume roles enabled ? This runs every time you run a command in zsh and may be the cause of the problem. Also can you please share your ~/.granted/config file

from granted.

Yes, I do have that enabled. I assumed that was the issue, given that this was what was released or updated in later versions. But is that really the expected behaviour?

DefaultBrowser = "FIREFOX"
CustomBrowserPath = "/opt/homebrew/bin/firefox"
CustomSSOBrowserPath = ""
Ordering = ""
ExportCredentialSuffix = ""

[Keyring]
  Backend = "keychain"

from granted.

Here's a quick TLDR of what I think the underlying issue here is, plus a longer explanation below.

TLDR: a change we made in #467 is causing the ZSH auto-reassume hook to trigger on every command:

assume --region us-west-1 my-profile

# then, immediately after, run another command:
ls
<- granted_auto_reassume zsh function is called immediately here

@moltar given that you are using the credential_process integration, could you please test switching off the ZSH automatic reassumption hook and let us know if your workflows still work? You can do this by removing the export GRANTED_ENABLE_AUTO_REASSUME=true line from your ~/.zshrc.

Longer explanation

I think the issue here is that #467 (which shipped in v0.19.0) has changed the behaviour so that the auto reassume hook here is being triggered on every command rather than when a session has expired. #467 changed the behaviour for profiles with a credential_process so that only AWS_PROFILE is exported, meaning the AWS CLI will automatically refresh session credentials without the need for any shell hooks. You can read about this in #263.

I think this is occurring because AWS_SESSION_EXPIRATION is no longer being set, so this check might fail, causing assume to be re-executed each time a shell command is run.

The change we made in #467 should negate the need to use the ZSH auto-reassumption hook altogether. We'll update our documentation to clarify this. I'll leave this issue open until we deal with the fact that the hook is being called repeatedly, and also that when the hook is called it doesn't respect the existing AWS_REGION environment variable.

from granted.