Sessions not working on Termux

[baztian]

I have installed aws-vault in https://termux.com/ on my android tablet. Unfortunately sessions are not working. If I run aws-vault with the --no-session parameter everything is working correctly.

Running the exact same configuration as below works well on my linux laptop.

[default]
output=json
region=eu-central-1

[profile admin]
mfa_serial=arn:aws:iam::xxx:mfa/Administrator



$ aws-vault --debug exec admin -- aws sts get-caller-identity
2020/08/31 19:42:45 aws-vault v5.4.4
2020/08/31 19:42:45 [keyring] Considering backends: [pass file]
2020/08/31 19:42:45 [keyring] Failed backend pass: The pass program is not available
2020/08/31 19:42:45 Loading config file /data/data/com.termux/files/home/.aws/config
2020/08/31 19:42:45 Parsing config file /data/data/com.termux/files/home/.aws/config
2020/08/31 19:42:45 [keyring] Expanded file dir to /data/data/com.termux/files/home/.awsvault/keys/
2020/08/31 19:42:45 profile admin: using stored credentials
2020/08/31 19:42:45 profile admin: using GetSessionToken (with MFA)
2020/08/31 19:42:45 Looking for sessions for admin
2020/08/31 19:42:45 Looking up all keys in keyring
2020/08/31 19:42:45 [keyring] Expanded file dir to /data/data/com.termux/files/home/.awsvault/keys/
Enter token for arn:aws:iam::xxx:mfa/Administrator: 140925
2020/08/31 19:42:56 Looking up keyring for 'admin'
2020/08/31 19:42:56 [keyring] Expanded file dir to /data/data/com.termux/files/home/.awsvault/keys/
2020/08/31 19:42:56 [keyring] Expanded file dir to /data/data/com.termux/files/home/.awsvault/keys/
Enter passphrase to unlock /data/data/com.termux/files/home/.awsvault/keys/: 
aws-vault: error: exec: Failed to get credentials for admin: RequestError: send request failed
caused by: Post "https://sts.amazonaws.com/": dial tcp: lookup sts.amazonaws.com on [::1]:53: read udp [::1]:51539->[::1]:53: read: connection refused

$ aws-vault --debug exec --no-session admin -- aws sts get-caller-identity
2020/08/31 19:42:05 aws-vault v5.4.4
2020/08/31 19:42:05 [keyring] Considering backends: [pass file]
2020/08/31 19:42:05 [keyring] Failed backend pass: The pass program is not available
2020/08/31 19:42:05 Loading config file /data/data/com.termux/files/home/.aws/config
2020/08/31 19:42:05 Parsing config file /data/data/com.termux/files/home/.aws/config
2020/08/31 19:42:05 [keyring] Expanded file dir to /data/data/com.termux/files/home/.awsvault/keys/
2020/08/31 19:42:05 profile admin: using stored credentials
2020/08/31 19:42:05 profile admin: skipping GetSessionToken because disabled
2020/08/31 19:42:05 Looking up keyring for 'admin'
2020/08/31 19:42:05 [keyring] Expanded file dir to /data/data/com.termux/files/home/.awsvault/keys/
2020/08/31 19:42:05 [keyring] Expanded file dir to /data/data/com.termux/files/home/.awsvault/keys/
Enter passphrase to unlock /data/data/com.termux/files/home/.awsvault/keys/: 
2020/08/31 19:42:13 Setting subprocess env: AWS_DEFAULT_REGION=eu-central-1, AWS_REGION=eu-central-1
2020/08/31 19:42:13 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
{
    "UserId": "AASDFASDFASDFASDZ",
    "Account": "xxx",
    "Arn": "arn:aws:iam::xxx:user/Administrator"
}

• I am using the latest release of AWS Vault
  -> The latest stable version v5.4.4
• I have provided my .aws/config (redacted if necessary)
• I have provided the debug output using aws-vault --debug (redacted if necessary)

[mtibben]

Hey @baztian the pertinent error here is

lookup sts.amazonaws.com on [::1]:53: read udp [::1]:51539->[::1]:53: read: connection refused

The problem is the DNS lookup for sts.amazonaws.com is failing - DNS requests are going to [::1]:53

Are you using dnsmasq or anything intercepting DNS requests?

[baztian]

Thanks @mtibben. When I run telnet against that sts.amazonaws.com on that tablet computer I'm getting a different result as when running the command on my linux machine.

On my tablet:

$ telnet sts.amazonaws.com 53
Trying 52.46.134.192...
telnet: Unable to connect to remote host: Connection refused

On my Linux machine:

> telnet sts.amazonaws.com 53
Trying 54.239.21.217...
telnet: Unable to connect to remote host: Connection timed out

For the latter it takes a pretty long time to time out. For the first I get back the error message immediately.

Both machines are on the same wifi and subnet. I don't know if my Samsung Android tablet does any DNS request interception and didn't found something like that on google.

I also tried with aws-vault v6.0.0-rc1. No luck.

[baztian]

Sorry, I have to correct my previous comment: I was on VPN on the Linux machine. If I disconnect from VPN I get the exact same behaviour from telnet as from the tablet. So no difference here.

[baztian]

Strange though that I get "Connection refused" with telnet on both machines. Using aws-vault I only get that error on the tablet.

[baztian]

I did some more research and found out how to start a session without aws-vault using aws sts assume-role. I was able to successfully call something like

aws sts assume-role --role-arn arn:aws:iam::xxx:role/readonly --role-session-name "RoleSession1" --serial-number arn:aws:iam::xxx:mfa/dev-foobar --token-code 758360

I don't know what aws-vault does additionally or differently. But to me it seems that creating a session works. Just with aws-vault it doesn't.

[mtibben]

Hey @baztian it's the DNS lookup that's failing, it doesn't even get to the point of connecting to sts.amazonaws.com. Your command above indicates that sts.amazonaws.com resolved when using telnet. So the question is why the DNS lookup fails when running through aws-vault.

[mtibben]

OK so check out this, someone else has had the same issue https://github.com/klingtnet/golang-android-dns-problem

[mtibben]

Where did you get the aws-vault binary from? Did you compile yourself or did you download the release?

[mtibben]

Also this. Perhaps the problem is unique to Termux? https://stackoverflow.com/questions/38959067/dns-lookup-issue-when-running-my-go-app-in-termux

[mtibben]

Can you test the fix @baztian? Build with make aws-vault-android-arm64 , I also dropped a binary here

[baztian]

Sorry @mtibben I haven't set up any arm cross compilation nor have I the disk space on my laptop to compile it. The binary you dropped seems to have some dependency to dynamic libraries.

Would it be much work for you to provide me with a statically linked version?

$ file bin/aws-vault
bin/aws-vault: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /system/bin/linker64, Go BuildID=s6dxt1bYFf59em4C4STE/fafPXv0capwfbdzezVCR/uF_8YfaNSFOppKwyvTYi/ra1b_BWJjtMnd1mctNqU, stripped
$ file bin/aws-vault-6 
bin/aws-vault-6: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=cLLZ8Z-B8MnaIj9gOt7l/x0GdSwZuJNT7Xp7vcMSL/DSKJCnqAOC6XaVzIXH-0/V_H8TlwekggC2tUtdFy1, stripped
$ aws-vault
bash: /data/data/com.termux/files/home/bin/aws-vault: No such file or directory

BTW the version I'm using right now is the one I've got from the https://github.com/99designs/aws-vault/releases/ page.

[baztian]

Regarding the stackoverflow link. My Tablet is not rooted. Therefor I can't create/change /etc/resolv.conf.

[mtibben]

OK @baztian I've updated the above binary to be statically compiled, new sha256 is 9bac8c9715559c97162df43f949cc6cac14583e2b0113a3d6ccc0fad74316c7f.

Let me know if that works for you

[baztian]

Awesome @mtibben, it works! (now I'm facing the same issue with terraform. But that's not aws-vault's issue) Thank you!

[baztian]

@mtibben just out of curiostiy: Will you provide an additional release or will that replace the normal linux-arm64 release?

[mtibben]

Yep it's in v6.1.0