Comments (10)
Thanks for you help in isolating the root cause here, we have a few threads going at the moment discussing this in our community slack as well.
We isolated the likely cause to a change in our release pipeline and we are currently working to identify what the cause is.
from granted.
Hi @JoshuaWilkes, thank you for looking into this.
I agree, it's not related to the code changes. But I don't think the build environment is involved either. It's rather Homebrew + keychain or just keychain access. Here is what I tried to isolate the problem:
1. Roll back to v0.23.2 in Homebrew: The first thing I tried, and it worked.
2. Build v0.24.0 from the sources: I did something similar to @citosid but performed all the steps manually:
go build -o ./bin/dgranted cmd/granted/main.go
ln -s $(pwd)/bin/dgranted ~/.local/bin
dgranted credential-process --profile <PROFILE> --auto-login
# {"Version":1,"AccessKeyId":"...","SecretAccessKey": "...", ...}
Running dgranted credential-process
asked for access to the keychain and worked as expected. No errors or warnings in ~/.dgranted/log
.
3. Use v0.24.0 binaries from the release:
curl -OL https://releases.commonfate.io/granted/v0.24.0/granted_0.24.0_darwin_x86_64.tar.gz
mkdir granted-bin
tar -xzf granted_0.24.0_darwin_x86_64.tar.gz -C granted-bin
ln -s $(pwd)/granted-bin/granted ~/.local/bin
granted credential-process --profile <PROFILE> --auto-login
# {"Version":1,"AccessKeyId":"...","SecretAccessKey": "...", ...}
Running granted credential-process
asked for access to the keychain and worked as expected. No errors or warnings in ~/.granted/log
. So the issue is not with the release binaries.
However, when I tried granted credential-process
using v0.24.0 installed via Homebrew, it did not prompt for the keychain access and just failed with the "opening keyring" error.
Let me know if you'd like me to do more testing. I'm unfamiliar with how keychain works, so you might have to guide me.
from granted.
Hi all, we've set up a prerelease build pipeline to help diagnose the issue. If you're affected by this and could help test a new prerelease build that would be fantastic. This new build has CGO_ENABLED=1
set in the release process which I think could be part of the issue:
curl -OL https://releases.commonfate.io/granted/granted_0.24.1-prerelease_darwin_x86_64.tar.gz
sudo tar -zxvf ./granted_0.24.1_darwin_x86_64.tar.gz -C /usr/local/bin/
ln -s /usr/local/bin/granted /usr/local/bin/assumego
If you're testing from a brew
version you may need to uninstall it with brew uninstall granted
. You can check which version you're running with which granted
- the path should be /usr/local/bin/granted
for the prerelease.
from granted.
Great, thanks for all your help here @uvw @citosid! I'll close this as fixed in https://github.com/common-fate/granted/releases/tag/v0.25.0 which is being released now, but please reopen the issue if you encounter this again.
from granted.
Hi @uvw
I have tested out the latest release on my mac m3 pro and it appears to be working as expected.
I'm wondering if this is something related to our build environment, given that the keychain package has not been updated in some time.
Some steps that would help us to diagnose the issue further would be to try building from source on your machine.
If possible could you follow the steps in the contributing guide to build the cli then run dassume
to test
from granted.
@JoshuaWilkes, I tried building locally and it works as expected:
[acruz@blinkin] ~/github/granted (main)
❯ dassume --verbose
[DEBUG] profile registry not configured. Skipping auto sync.
[DEBUG] process args execFlag: osargs:[dassumego,--verbose] c.args:[]
[DEBUG] processed profile name
[DEBUG] exec config:<nil>
[DEBUG] skipping profile with name my-account/Administrator - profile already defined in config
? Please select the profile you would like to assume: my-account/Administrator
[i] To assume this profile again later without needing to select it, run this command:
> assume my-account/Administrator --verbose
2024/05/01 08:54:46 [keyring] Considering backends: [keychain]
2024/05/01 08:54:46 [keyring] Querying keychain for service="granted-aws-sso-tokens", account="https://xxxx.awsxxxx.com/start", keychain="login.keychain"
2024/05/01 08:54:47 [keyring] No results found
[DEBUG] error retrieving IAM Identity Center token from secure storage: The specified item could not be found in the keyring
[i] If the browser does not open automatically, please open this link: https://device.sso.us-east-1.amazonaws.com/?user_code=JDKN-GLGK
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: JDKN-GLGK
2024/05/01 08:54:54 [keyring] Considering backends: [keychain]
2024/05/01 08:54:54 [keyring] Checking keychain status
2024/05/01 08:54:54 [keyring] Keychain status returned nil, keychain exists
2024/05/01 08:54:54 [keyring] Keychain item trusts keyring
2024/05/01 08:54:54 [keyring] Adding service="granted-aws-sso-tokens", label="", account="https://xxxx.awsxxxx.com/start", trusted=true to osx keychain "login.keychain"
[✔] [my-account/Administrator](us-east-1) session credentials will expire in 12 hours
[acruz@blinkin] ~/github/granted (main)
from granted.
Another update. Running make cli-act-prod
and allowing the binary to access the keychain fixes the issue as well.
So, in the meantime I'll be doing it like this. Hopefully a solution can be found for this problem. Sorry I cannot help debugging more... not really sure how to even replicate it.
from granted.
Thanks @chrnorm! Will try it later today and report back
from granted.
Great! I switched to this build and so far so good. Thank you, @chrnorm 👍
I also cleared all granted-*
keychain items and CLI SSO cache beforehand to start from the blank slate.
from granted.
Thanks for your hard work @chrnorm ! It works now as expected.
from granted.
Related Issues (20)
- Feature Request: Automatically populate [Default] with assumed profile HOT 7
- IAM Federated logins (console) should have easily attributable username in Cloudtrail list view.
- BaseProfile variable defined in config.yml for Profile Registries does not work
- Add option to clear the whole Granted cache
- [Feature request] Use a specific browser profile for authentication HOT 5
- File keychain backend should bail in credential process rather than hanging HOT 1
- Prefix-Duplicate-Profiles flag not respected
- Discrepancy in the behavior when '--save-to' and '--export' flags are used together
- No documentation on how to uninstall
- For granted sso generate/populate commands add support to persist preferences in .granted/config
- Only enable auto-refresh when all necessary fields exist in .aws/config HOT 1
- SSO populate does not work if the user has no accounts granted: max must be greater than 0
- `granted console` fails with code 400 HOT 5
- Improve docs on building from source
- It should be possible to use Granted with Firefox without installing the extension
- --profile flag does not initiate Common Fate JIT
- granted sso generate is not returning all accounts HOT 3
- Add support for sso-session to populate/generate command
- Compatibility problem with VSCode AWS extensions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from granted.