aws-vault login with existing STS temporary credentials

[christophetd]

Hello!

I'd like to use aws-vault with existing STS temporary credentials. I don't want aws-vault to call sts:AssumeRole for me; I want to be able to pass it my access key ID, secret access key and session token and have it generating the AWS Console sign-in link.

Is this currently supported? My understanding is that it's currently not supported

Thank you

[mtibben]

Yes I believe what you're asking is possible - what does your AWS config look like and what's the result of aws-vault --debug login when attempting this?

[christophetd]

With the following .aws/config:

[profile compromised]
access_key_id=ASIA...
secret_access_key=F6v..
session_token=IQ..

I get:

$ aws-vault login compromised --region us-east-1 --debug
2022/02/10 14:45:58 aws-vault v6.5.0
2022/02/10 14:45:58 [keyring] Considering backends: [keychain]
2022/02/10 14:45:58 Loading config file /Users/christophetd/.aws/config
2022/02/10 14:45:58 Parsing config file /Users/christophetd/.aws/config
2022/02/10 14:45:58 Profile 'default' missing in config file
2022/02/10 14:45:58 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/02/10 14:45:58 [keyring] Found 10 results
2022/02/10 14:45:58 Looking up keyring for 'compromised'
2022/02/10 14:45:58 [keyring] Querying keychain for service="aws-vault", account="compromised", keychain="aws-vault.keychain"
2022/02/10 14:45:58 [keyring] Found item "aws-vault (compromised)"
aws-vault: error: login: profile compromised: operation error IAM: GetUser, https response error StatusCode: 403, RequestID: b46128b4-7908-494b-a758-56e2acef439b, api error InvalidClientTokenId: The security token included in the request is invalid.

Note that running aws iam get-user with these STS credentials in the environment shows:

$ aws sts get-caller-identity                                                                                                                                                                    
{
    "UserId": "AROA....:cli",
    "Account": "012345678912",
    "Arn": "arn:aws:sts::012345678912:assumed-role/my-role/cli"
}

$ aws iam get-user
An error occurred (ValidationError) when calling the GetUser operation: Must specify userName when calling with non-User credentials

[mtibben]

@christophetd aws-vault doesn't recognise credentials in the config file. Add them via aws-vault add compromised

[mtibben]

I'd like to use aws-vault with existing STS temporary credentials. . I don't want aws-vault to call sts:AssumeRole

aws-vault won't use existing STS credentials, it will use the credentials stored in the keychain by aws-vault. But aws-vault doesn't need to call sts::AssumeRole either - it will create a session via federation if a role isn't specified

[mtibben]

It might be possible to add an --env flag to aws-vault login to source the credentials from the environment rather than the keychain?

[christophetd]

it will create a session via federation if a role isn't specified

But this will only works for IAM users, because sts:GetFederationToken doesn't work when calling it through STS credentials. Correct?

It might be possible to add an --env flag to aws-vault login to source the credentials from the environment rather than the keychain?

Sounds good, in which case we can probably have a new aws.CredentialsProvider sourcing it from environment? If that sounds good, I'll send out a PR

[christophetd]

@christophetd aws-vault doesn't recognise credentials in the config file. Add them via aws-vault add compromised

This doesn't satisfy the use-case since aws-vault only supports adding access keys + secret access keys, not session tokens

[christophetd]

proposal in #864