Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to decrypt credentials file when using pass backend #1230

Open
3 tasks done
doolio opened this issue Nov 17, 2023 · 4 comments
Open
3 tasks done

Unable to decrypt credentials file when using pass backend #1230

doolio opened this issue Nov 17, 2023 · 4 comments

Comments

@doolio
Copy link

doolio commented Nov 17, 2023

  • I am using the latest release of AWS Vault

Yes, v7.2.0 installed via asdf.

$ aws-vault --version
v7.2.0
  • I have provided my .aws/config (redacted if necessary) AWS_CONFIG_FILE="${XDG_CONFIG_HOME}/aws/config"
[default]
region = us-east-1
output = json

[profile iamadmin-saa-mgmt]

[profile iamadmin-saa-prod]

I also have the following environment variables set:

AWS_VAULT_BACKEND="pass"
AWS_VAULT_PASS_PREFIX="aws-vault"  # set because I already have an existing password-store

My profile credentials are stored in

~/.password-store/aws-vault/iamadmin-saa-mgmt
~/.password-store/aws-vault/iamadmin-saa-prod

$ aws-vault list
Profile                  Credentials              Sessions                 
=======                  ===========              ========                 
default                  -                        -                        
iamadmin-saa-mgmt        iamadmin-saa-mgmt        -                        
iamadmin-saa-prod        iamadmin-saa-prod        -
  • I have provided the debug output using aws-vault --debug (redacted if necessary)

image

I checked #686 and I already had $GPG_TTY=$(tty) set and exported so not the same issue. Now my primary GPG key is stored in a Trezor model-T and am prompted on it when I need to decrypt a file in my password-store. This works well when not using aws-vault because my password-store was initialised with my TREZOR-based GPG identity.

However, you can see from the aws-vault command output above it is not working when aws-vault is in the loop. What is the significance of the --prompt flag? I understand from #1185 one use to be able to set this to "pass". Could the removal of this option be why I don't get prompted on my hardware based token.

I don't think the mfa_process option will work as I'm not using pass to generate an otp. I have MFA access set up on my two profiles and am using a software based MFA device. If I include the mfa_serial identifier in my profile I get prompted to enter the otp but it still doesn't work.

Any ideas? Thanks for your time.
@doolio doolio mentioned this issue Nov 17, 2023
Open
@dil-mezzy
Copy link

Same for me, i get below error

gpg: XXXXXXXXXXXXXXXXXXXXXXXXX: skipped: No public ke
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.
aws-vault: error: exec: Failed to get credentials for dil-icompass-dev: exit status 1

@doolio
Copy link
Author

doolio commented Nov 20, 2023

Despite what I stated above I think this is some how related to #686. I think aws-vault creates a subshell (for some or all of its subcommands?) where for whatever reason the setting of GPG_TTY is not inherited and so returns "not a tty".

@dil-mezzy
Copy link

changed AWS_VAULT_BACKEND=pass to AWS_VAULT_BACKEND=file and it worked.

Command =

export AWS_VAULT_BACKEND=file
export GPG_TTY="$( tty )"

@doolio
Copy link
Author

doolio commented Nov 24, 2023

changed AWS_VAULT_BACKEND=pass to AWS_VAULT_BACKEND=file and it worked.

image

Not for me, but I'm no surprised. How is this then using pass as the backend?

@gosaaan1 gosaaan1 mentioned this issue Feb 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@doolio @dil-mezzy