Comments (13)
Just to add some context, this was fixed with #429 because I had a similar issue, it could even be the same issue
The work done on that PR is now refactored and merged with #474, which reintroduced the issue for me.
The issue is that:
granted/pkg/cfaws/assumer_aws_iam.go
Lines 25 to 28 in fcb95bb
Assumes that if credentials are stored in secure storage it's good to go, but it should still consider the case of MFA in that block and ask for it. Which is what #429 did
from granted.
i've browsed through the code and i think i have a few ideas where the process might be going wrong:
- either the creds.canExpire() somehow returns an incorrect value and assumes that an AWS Access Key + secret pair is always valid even without an MFA key
- or the pkg/cfaws/assumer_aws_credential_process.go file has an error in its logic.
i assume pkg/cfaws/assumer_aws_iam.go is correct as it does work correctly when not using the credential process.
@shwethaumashanker let me know if i can help in debugging. i'm not familiar with go but i'm a developer so i can be of help.
from granted.
my bad for not executing brew update
before brew upgrade
. 😄 will test 0.20.3 tomorrow as i already have a valid token for today.
from granted.
Hey @shwethaumashanker 👋🏾
It is working for me. Thanks so much.
from granted.
I can also confirm it's working. Thank you @shwethaumashanker for the speedy fix!
from granted.
See #405 (comment) -- that issue is closed but the issue itself is still present. My biggest concern is that we cannot use granted without MFA, but we cannot use granted safely with the cleartext secrets.
from granted.
There is a very convoluted workaround, tho, once the credentials are encrypted:
assume base --export
# comment out credential_process line in ~/.aws/config
granted cache clear
# choose session and base
assume base
# will ask for MFA
# empty out ~/.aws/credentials
But to do this every day... 🤣
from granted.
Thank you so much for reporting the issue and providing the additional context, @subpardaemon. I'm working on replicating and debugging the issue. I'll keep you informed once I have any updates 😁
from granted.
@shwethaumashanker let me know if i can help. If there is a debug mode in the app, generating logs, i'm more than happy to use it and send you the results. I can also debug the environment variables, etc.
from granted.
any progress regarding this? my team has a commitment to migrate to granted, and this is a blocking issue. let me know if i can help with this.
from granted.
Hi @subpardaemon, I apologize for the delay. Thank you for using Granted and recommending it to your team. I am able to replicate the error. I've encountered some unexpected hurdles during debugging, but I'm working on resolving it
from granted.
@subpardaemon @mfzl, v0.20.3 includes the fix for this issue. Please let us know if it works for you!
from granted.
@subpardaemon @mfzl, v0.20.3 includes the fix for this issue. Please let us know if it works for you!
do you know when 0.20.3 is expected to hit brew? i did an upgrade this morning but it only got me to 0.20.2 from 0.20.0.
from granted.
Related Issues (20)
- Getting "invalid cross-device link" on registry sync (linux) HOT 8
- Feature request: Add a flag or configuration to map between a profile and a specific Chrome session HOT 1
- CustomSSOBrowserPath not working for Safari
- Support customising user-facing error messages
- --mfa-token not registering from CLI, only from prompt HOT 3
- Panic error when granted_sso_start_url or granted_sso_region aren't defined
- Support populating required variable with fixed value
- Deleting auto created chrome profile causes assume -c to stop working HOT 1
- Panic interface {} is nil, not string
- Security Vulnerability - Lateral Movement HOT 4
- AWS command hanging after assume when running on WSL HOT 1
- Feature request: Introducing “sudo” functionality into Granted HOT 1
- Update documentation - Granted does not work with Session Manager Plugin out of the box
- Assumed Role - Randomized UserId gntd-<random-suffix>
- Support refreshable AWS SSO sessions HOT 1
- Unclear warning with no way to quiet the error text. HOT 2
- Registry: MOTD
- Add the role that was retrieved to the error message when role assumption fails (AWS)
- Feature Request: Automatically populate [Default] with assumed profile HOT 7
- IAM Federated logins (console) should have easily attributable username in Cloudtrail list view.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from granted.