Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-env: don't get temporary credentials if no MFA serial specified #3

Open
borsboom opened this issue Nov 19, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@borsboom
Copy link
Member

commented Nov 19, 2017

Currently, aws-env will get STS temporary credentials even if it doesn't need to (when no MFA serial specified). Ordinarily, this is fine, except when using the IAM API which doesn't seem to support temporary credentials when no MFA or role is in use (other AWS APIs, such as s3, work fine):

$ aws-env --profile REDACTED aws iam list-roles
[aws-env] Getting session token for profile 'REDACTED'
[aws-env] WARNING: No role_arn or mfa_serial found for profile REDACTED
An error occurred (InvalidClientTokenId) when calling the ListRoles operation: The security token included in the request is invalid

aws-env should skip the temporary credentials in the case when no MFA serial is specified so that this doesn't come up.

@borsboom

This comment has been minimized.

Copy link
Member Author

commented Nov 19, 2017

Implementing this is harder than just skipping the aws sts get-session-token call because currently aws-env doesn't have any logic itself for parsing the AWS credentials file, and instead relies on the AWS CLI to do so when when running aws sts get-session-token. It will have to parse the credentials file itself and set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY itself. It should probably do this in every case, and stop relying on aws sts get-session-token to parse the credentials file (in which case, remove the case of passing --profile to that command).

Something to also test is to make sure aws sts assume-role works when the current credentials aren't a temporary session. I think it should, but I'm not certain of that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.