Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"awsume [profile-name]" command hangs and never responds #117

Closed
cameronbesse opened this issue Aug 14, 2020 · 9 comments
Closed

"awsume [profile-name]" command hangs and never responds #117

cameronbesse opened this issue Aug 14, 2020 · 9 comments

Comments

@cameronbesse
Copy link

I have installed awsume via pip and I have the correct alias in my bash profile. Awsume does correctly list my available AWS profiles with awsume -l, however when I try to use the awsume [profile-name] command to assume a profile, the terminal hangs and there is no response.

screenshot

(On MacOS Catalina version 10.15.5 (19F101), using iTerm2 build 3.3.12)

@skjutare
Copy link

I have the same issue on MacOS Catalina version 10.15.6. It works with User profiles, but for all Role the awsume python process draws about 100% CPU (one core).

@skjutare
Copy link

❯ awsume role-profile --debug
[2020-08-19 16:53:11,484] main.py:main : [DEBUG] Debug logs are visible
[2020-08-19 16:53:11,484] main.py:main : [DEBUG] Executing awsume
[2020-08-19 16:53:11,484] app.py:__init__ : [DEBUG] Initalizing app
[2020-08-19 16:53:11,484] app.py:get_plugin_manager : [DEBUG] Creating plugin manager
[2020-08-19 16:53:11,485] app.py:get_plugin_manager : [DEBUG] Loading plugins
[2020-08-19 16:53:11,495] app.py:parse_args : [DEBUG] Gathering arguments
[2020-08-19 16:53:11,495] default_plugins.py:add_arguments : [INFO] Adding arguments
[2020-08-19 16:53:11,496] app.py:parse_args : [DEBUG] Parsing arguments
[2020-08-19 16:53:11,496] app.py:parse_args : [DEBUG] Handling arguments
[2020-08-19 16:53:11,496] default_plugins.py:post_add_arguments : [DEBUG] Post add arguments
[2020-08-19 16:53:11,496] default_plugins.py:post_add_arguments : [DEBUG] {"version": false, "output_profile": null, "clean": false, "profile_name": "role-profile", "force_refresh": false, "show_commands": false, "unset_variables": false, "auto_refresh": false, "kill": false, "list_profiles": null, "refresh_autocomplete": false, "role_arn": null, "principal_arn": null, "source_profile": null, "external_id": null, "mfa_token": null, "region": null, "session_name": null, "role_duration": null, "with_saml": false, "with_web_identity": false, "json": null, "credentials_file": null, "config_file": null, "config": null, "list_plugins": false, "info": false, "debug": true, "console": false, "console_link": false, "console_service": false, "console_link_service": false, "rotate_access_keys": false, "force_rotate_access_keys": false}
[2020-08-19 16:53:11,496] app.py:get_profiles : [DEBUG] Gathering profiles
[2020-08-19 16:53:11,497] default_plugins.py:collect_aws_profiles : [INFO] Collecting AWS profiles
[2020-08-19 16:53:11,499] default_plugins.py:collect_aws_profiles : [DEBUG] Collected 10 profiles
[2020-08-19 16:53:11,499] default_plugins.py:post_collect_aws_profiles : [INFO] Post collect AWS profiles
[2020-08-19 16:53:11,499] app.py:get_credentials : [DEBUG] Getting credentials
[2020-08-19 16:53:11,499] app.py:get_credentials : [DEBUG] Pulling credentials from default awsume flow

After this it hangs for ever...

@skjutare
Copy link

I figured it out.

You can't have a profile in .aws/config that have the same name as a credentials in ./aws/credentials if it has a source_profile with the same name...

added an suffix to the user accounts config solved the issue.

So the bug is in how awsume tries to resolve infinity roles. Support added in "Adds support for infinite role-chaining" on line 235 of app.py PR

@mbarneyjr
Copy link
Member

Hi! Thanks for opening this issue, sorry about the delay!

The source_profile property is used when you're defining a role profile. The source_profile property points to which profile you want to use to assume the configured role. Commonly it's an IAM user assuming a role, like this:

# ~/.aws/credentials
[myuser]
aws_access_key_id = ...
aws_secret_access_key = ...

# ~/.aws/config
[profile myuser]
region = ...

[profile myrole]
role_arn = ...
source_profile = ...
region = ...

Awsume should raise an error if the source_profile property of a profile is pointing to itself, this has been noted and we'll work on resolving that issue.

@cameronbesse Just to confirm, was @skjutare's solution solve your problem?

@cameronbesse
Copy link
Author

@cameronbesse Just to confirm, was @skjutare's solution solve your problem?

@mbarneyjr Yes, I had the same issue in my credentials file.

@mbarneyjr
Copy link
Member

Hmm, I seem to be having trouble replicating the issue. Correct me if I'm misunderstanding your setup, but if I create the following profile configuration:

#~/.aws/credentials
[test]
aws_access_key_id = ...
aws_secret_access_key = ...

#~/.aws/config
[profile test]
source_profile = test

I correctly get the following error:

$ awsume test
Awsume error: Invalid profile [test] cannot have circular role-chains

If you're able to replicate the error, could you show your profile setup (redacting any secrets and account IDs, of course)? Thank you!

@skjutare
Copy link

skjutare commented Aug 21, 2020

With a similar setup to this I can get it to hang

#~/.aws/credentials
[test]
aws_access_key_id = ...
aws_secret_access_key = ...

#~/.aws/config
[profile test]
source_profile = test

[profile test-role]
source_profile = test
role_arn=...

while calling awsume test-role

@mbarneyjr
Copy link
Member

Great, that was what I needed to find the bug, thanks! It should be fixed in pre release 4.5.0a2

@mbarneyjr
Copy link
Member

Sorry for the delay, this has been deployed to 4.5.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants