Comments (8)
[profile AD/Foo/AdministratorAccess]
granted_sso_start_url = https://abc.awsapps.com/start
granted_sso_region = ca-central-1
granted_sso_account_id = 1234
granted_sso_role_name = AdministratorAccess
common_fate_generated_from = aws-sso
credential_process = granted credential-process --profile AD/Foo/AdministratorAccess
from granted.
Tested different versions, and this issue starts happening on v0.19.0
.
from granted.
@moltar Could you also please send an example of a profile from ~/.aws/config
that has this issue? Feel free to remove account ID and other sensitive data
from granted.
@moltar I'm having a hard time replicating the error. Can you please run env | grep AWS
and check if the AWS_REGION
is set correctly? or share the behavior you are seeing. Also, do you have the same issue with v0.19.1, this might have fixed your issue
from granted.
Can you please run env | grep AWS and check if the AWS_REGION is set correctly?
That's the thing - any command will reset the region, so running env
will do it too.
Also, do you have the same issue with v0.19.1
Yes, happens on that version too.
from granted.
@moltar By any chance do you have automatic reassume roles enabled ? This runs every time you run a command in zsh and may be the cause of the problem. Also can you please share your ~/.granted/config
file
from granted.
Yes, I do have that enabled. I assumed that was the issue, given that this was what was released or updated in later versions. But is that really the expected behaviour?
DefaultBrowser = "FIREFOX"
CustomBrowserPath = "/opt/homebrew/bin/firefox"
CustomSSOBrowserPath = ""
Ordering = ""
ExportCredentialSuffix = ""
[Keyring]
Backend = "keychain"
from granted.
Here's a quick TLDR of what I think the underlying issue here is, plus a longer explanation below.
TLDR: a change we made in #467 is causing the ZSH auto-reassume hook to trigger on every command:
assume --region us-west-1 my-profile
# then, immediately after, run another command:
ls
<- granted_auto_reassume zsh function is called immediately here
@moltar given that you are using the credential_process
integration, could you please test switching off the ZSH automatic reassumption hook and let us know if your workflows still work? You can do this by removing the export GRANTED_ENABLE_AUTO_REASSUME=true
line from your ~/.zshrc
.
Longer explanation
I think the issue here is that #467 (which shipped in v0.19.0) has changed the behaviour so that the auto reassume hook here is being triggered on every command rather than when a session has expired. #467 changed the behaviour for profiles with a credential_process
so that only AWS_PROFILE
is exported, meaning the AWS CLI will automatically refresh session credentials without the need for any shell hooks. You can read about this in #263.
I think this is occurring because AWS_SESSION_EXPIRATION
is no longer being set, so this check might fail, causing assume
to be re-executed each time a shell command is run.
The change we made in #467 should negate the need to use the ZSH auto-reassumption hook altogether. We'll update our documentation to clarify this. I'll leave this issue open until we deal with the fact that the hook is being called repeatedly, and also that when the hook is called it doesn't respect the existing AWS_REGION
environment variable.
from granted.
Related Issues (20)
- Getting "invalid cross-device link" on registry sync (linux) HOT 8
- Feature request: Add a flag or configuration to map between a profile and a specific Chrome session HOT 1
- CustomSSOBrowserPath not working for Safari
- Support customising user-facing error messages
- --mfa-token not registering from CLI, only from prompt HOT 3
- Panic error when granted_sso_start_url or granted_sso_region aren't defined
- Support populating required variable with fixed value
- Deleting auto created chrome profile causes assume -c to stop working HOT 1
- Panic interface {} is nil, not string
- Security Vulnerability - Lateral Movement HOT 4
- AWS command hanging after assume when running on WSL HOT 1
- Feature request: Introducing “sudo” functionality into Granted HOT 1
- Update documentation - Granted does not work with Session Manager Plugin out of the box
- Assumed Role - Randomized UserId gntd-<random-suffix>
- Support refreshable AWS SSO sessions HOT 1
- Unclear warning with no way to quiet the error text. HOT 2
- Registry: MOTD
- Add the role that was retrieved to the error message when role assumption fails (AWS)
- Feature Request: Automatically populate [Default] with assumed profile HOT 7
- IAM Federated logins (console) should have easily attributable username in Cloudtrail list view.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from granted.