IAM + MFA does not work after adding credentials to the granted keyring about granted HOT 13 CLOSED

Just to add some context, this was fixed with #429 because I had a similar issue, it could even be the same issue

The work done on that PR is now refactored and merged with #474, which reintroduced the issue for me.

The issue is that:

Assumes that if credentials are stored in secure storage it's good to go, but it should still consider the case of MFA in that block and ask for it. Which is what #429 did

from granted.

i've browsed through the code and i think i have a few ideas where the process might be going wrong:

• either the creds.canExpire() somehow returns an incorrect value and assumes that an AWS Access Key + secret pair is always valid even without an MFA key
• or the pkg/cfaws/assumer_aws_credential_process.go file has an error in its logic.

i assume pkg/cfaws/assumer_aws_iam.go is correct as it does work correctly when not using the credential process.

@shwethaumashanker let me know if i can help in debugging. i'm not familiar with go but i'm a developer so i can be of help.

from granted.

my bad for not executing brew update before brew upgrade. 😄 will test 0.20.3 tomorrow as i already have a valid token for today.

from granted.

Hey @shwethaumashanker 👋🏾

It is working for me. Thanks so much.

from granted.

I can also confirm it's working. Thank you @shwethaumashanker for the speedy fix!

from granted.

See #405 (comment) -- that issue is closed but the issue itself is still present. My biggest concern is that we cannot use granted without MFA, but we cannot use granted safely with the cleartext secrets.

from granted.

There is a very convoluted workaround, tho, once the credentials are encrypted:

assume base --export
# comment out credential_process line in ~/.aws/config
granted cache clear
# choose session and base
assume base
# will ask for MFA
# empty out ~/.aws/credentials

But to do this every day... 🤣

from granted.

Thank you so much for reporting the issue and providing the additional context, @subpardaemon. I'm working on replicating and debugging the issue. I'll keep you informed once I have any updates 😁

from granted.

@shwethaumashanker let me know if i can help. If there is a debug mode in the app, generating logs, i'm more than happy to use it and send you the results. I can also debug the environment variables, etc.

from granted.

any progress regarding this? my team has a commitment to migrate to granted, and this is a blocking issue. let me know if i can help with this.

from granted.

Hi @subpardaemon, I apologize for the delay. Thank you for using Granted and recommending it to your team. I am able to replicate the error. I've encountered some unexpected hurdles during debugging, but I'm working on resolving it

from granted.

@subpardaemon @mfzl, v0.20.3 includes the fix for this issue. Please let us know if it works for you!

from granted.

@subpardaemon @mfzl, v0.20.3 includes the fix for this issue. Please let us know if it works for you!

do you know when 0.20.3 is expected to hit brew? i did an upgrade this morning but it only got me to 0.20.2 from 0.20.0.

from granted.