-
-
Notifications
You must be signed in to change notification settings - Fork 25.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS plugin tries to manually assume role #9394
Comments
Thank you for your report. I will investigate and revert. |
My setup:
So it switches the profile while failing |
The script that actually works (for ideas), if I do aar () {
if [[ -z "$1" ]]
then
unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE
echo AWS profile cleared.
return
fi
local aws_profile_name=${1}
local role_arn=$(aws configure --profile ${aws_profile_name} get role_arn)
if [[ -z "$role_arn" ]]
then
echo Role ARN for profile \(${aws_profile_name}\) cannot be found.
echo Please set the \'role_arn\' attribute on the profile.
return 1
fi
local session_name="${aws_profile_name}-session"
local credentials_output=$(aws sts assume-role --role-arn ${role_arn} --role-session-name ${session_name} --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text | tr "\t" "\n")
local credentials=("${(f)credentials_output}")
local access_key_id=${credentials[1]}
local secret_access_key=${credentials[2]}
local session_token=${credentials[3]}
aws configure --profile ${aws_profile_name} set aws_access_key_id ${access_key_id}
aws configure --profile ${aws_profile_name} set aws_secret_access_key ${secret_access_key}
aws configure --profile ${aws_profile_name} set aws_session_token ${session_token}
export AWS_ACCESS_KEY_ID=${access_key_id}
export AWS_SECRET_ACCESS_KEY=${secret_access_key}
export AWS_SESSION_TOKEN=${session_token}
export AWS_DEFAULT_PROFILE=${aws_profile_name}
export AWS_PROFILE=${aws_profile_name}
export AWS_EB_PROFILE=${aws_profile_name}
echo Credentials set for AWS profile \(${aws_profile_name}\)
} |
I don't mind having different functions for MFA and whatnot but I don't think the |
@wnkz that was the case with an earlier version of the AWS plugin, it was changed recently (not sure why, I only noticed it when pulled the master branch) |
It actually didn't switch the profile - it set the environment variables. It could do error handling better, fair enough. I'll look into what can be done. |
Not so sure about that - the purpose of |
@wknz Why do you say that? Can you name any other reasons to have |
@wknz I've read again through your description and I can confirm this is not a bug. Assuming IAM roles is how AWS recommends securing access to your resources: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#delegate-using-roles If that is not what you want, you quite rightly hinted at the workaround: remove |
Still it doesn't work at least if MFA is enabled which should be standard for everyone. |
@robvadai I'm checking your case now. Ideally, I'd have it in another bug (as the conclusion on the original one is above), but I'll check nevertheless. In the meantime, I can tell you that at my company, over 20 engineers are using it with MFA successfully. So there must be something specific to your setup, which I'm checking. |
I appreciate that, however I tried it on AWS accounts for 2 companies (I'm a consultant) and doesn't work for either - these are 2 companies, located geographically in different places and completely different staff so it'd be unlikely the same people set up their AWS account. |
@robvadai , I'm looking. In the meantime, what is common between those 2 companies where you are a consultant? That's why I'm keen to check how you are doing it. 👍 In the meantime, here is a screenshot of using the plugin in one of my 4 different AWS accounts: |
My suspicion is our credentials are set up differently. Could you share your |
@robvadai Here is mine, from one of the machines, as an example: |
OK I'm not using |
@robvadai You might be right about the README. So And I'm trying to understand how you are assuming role - it doesn't seem like the MFA is set up in your case, right? It looks like your account can assume some roles without any additional authorization? What is the use case for that? |
We do not allow logging in or assuming any roles without MFA, as per the AWS best practices, so keen to understand the use case here. |
OK so I switch to a role, used that |
Thanks, @robvadai ! In the meantime, I'll try to think of a use case like yours. Based on the error message you provided:
Looking at the code, the behaviour should be identical between
This is the line from
In both cases:
So both commands should execute the same actual command. |
Although I must say, the script gave me an idea as to how to get rid of |
Changed my config, tested for one profile and it works without the additional However, when I didn't type in a session duration I got:
|
Thanks for confirming and glad it worked! I will check why it behaves like that with session duration for you. The idea is that if you just press Enter without entering the session duration, the AWS default value will be used, because session duration variable is empty. Do you mind sharing the details of the system on which you are running it? Specifically, what OS it is and what version of |
Yes all good now, just another thing: I need |
@maksyms macOS |
That's not me - that is the bog-standard AWS CLI, not me, that puts |
I reproduced this. This is a bug, @robvadai. Could you please report it as one and tag me in the report? I can then look at fixing it. |
@maksyms I am very confused by your questions 🤔
The way to tell the AWS CLI which profile to use is via Now, with the updated function the role is assumed manually, credentials are stored in environment variables and never renewed. Furthermore, assuming the role straight away cause problems with other type of more advanced configurations using I really don't want to sound rude but this change only gave me trouble. I don't really know what made you do this and it might be a perfectly fine use case but this is a breaking change to me and should at least be implemented in a new function but not replace the existing one. 👋 |
@wnkz Thanks a lot for your extensive write-up. I'm sorry you feel the change gave you trouble. Judging by the reaction of a few other individuals, the change simplified their workflows already - and that's in addition to circa 30-ish users that were using this change prior to it being merged. The reason for implementing the change is exactly related to the documentation you quoted (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html). The purpose of The very specific example use case is like this:
Here is the illustration: Here is what is happening here:
I hope this explains the problem this PR solves in better details. Now back to your use case. What I'm guessing based on your description is that the way you prefer to use AWS CLI is by specifying
I'm wondering though what the best way to help you is. Any suggestions beyond reverting the change? |
🙏 Please maintainers, read this before merging any more stuff in this plugin. The change introduced by #8419 is bad for multiple reasons:
The only thing I saw with this change is that my daily workflow is completely broken and I'm pretty sure I'm not the only one. I understand your problem with tools like The new I saw this because I update oh-my-zsh daily but I can guarantee that many AWS users are about to be very mad very soon as they update oh-my-zsh. This is the only change that made me manually roll back oh-my-zsh in years. My suggestion to find a compromise is:
|
@wnkz It so happens that you are talking to a recent maintainer.
Ok, let me think about this. One more thought: would introducing some env var to indicate whether to assume or not assume the role be an option? |
You were arbitrarily declared maintainer five hours ago so please stay calm and put the "maintainer" card away. 1.Well, it's basic development good practice ; you don't suddenly completely replace the behavior of a tool / function / method without giving users a warning and proper time to adapt or find workarounds. If you desperately need your change to go through, at least add a new function with a new name but dont force people to use your solution. In my point of view, you just broke something that wasn't with no solution but rollback to a previous version. I'm not saying this is useless for everyone, but saying it is useful for 30 does not mean it is for everyone else. 2.The fact that PR #8419 was opened over a year ago is completely irrelevant. It's not because I'm a user of oh-my-zsh or this plugin that I'm supposed to go have a look at oh-my-zsh pull requests. I don't know how many OSS you are using but I'm pretty sure you don't have a look at every pull requests opened on every one of those repositories. 3.Again, you're trying to fix something that isn't broken. Of course forcing every third party tools to correctly use AWS SDKs will be hard if not impossible but it is the only sane way of doing it. To conclude, if you just added a new function with a new name and told everyone having your problem to use it instead of I don't think I'll spend more time discussing this as I've presented most of my arguments. Right now, this plugin is useless to me so either you'll do something about it as the new maintainer or I will bring back the original functionality in another plugin. Have a good day 👋 |
@wnkz You are right, we are discussing software, and my only intent is to help make this piece of functionality better for the community, not just for you or me. Most of your suggestions are non-constructive and impossible to implement in this specific case; your tone reads aggressive, the approach comes across as idealistic, and the behaviour amounts to demagogic. While I understand that you are upset that a change in an open-source code that you pull in daily broke your workflow, it doesn't justify toxic behaviour. I suggest this stops now. So far, I've been trying to focus on understanding and fixing the specific issue you are raising, that get in the way of your workflow, not on the tone of this conversation. The one constructive suggestion I have heard from you is to introduce a function with a different name to assume roles. Ok, perhaps, as this commit hasn't been out for long, it is a reasonable way forward. I will be implementing it now. |
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes #9394
Hi there, it works fine when I use a role but it doesn't prompt for MFA for the source profile anymore. I added So this source profile has Any idea? |
This is the problem. For source profiles we don't have |
I fixed it but the code has some duplications, need to tidy it up: https://github.com/ohmyzsh/ohmyzsh/compare/master...robvadai:bugfix/aws-mfa-with-source?expand=1 |
By the way, omitting the time still results in error: acp myprofile
Please enter your MFA token for arn:aws:iam::1111111111:mfa/myuser:
123456
Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role):
An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.
Switched to AWS Profile: myprofile |
@robvadai Could you please log it as a separate problem and share your config and credentials? I'm not sure I understand what you mean when you say "for source profiles we don't have role_arn" - I don't either. The reason the second issue when you don't specify the duration now is because the MFA authentication fails, not any other reason - so it is not to do with the plugin. |
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes ohmyzsh#9394
Describe the bug
The
asp
command from aws plugin now assume role itself whenrole_arn
is defined in the AWS profile.This is not how it's supposed to work ; AWS CLI is perfectly capable of assuming roles on the fly and does not expose AWS credentials to environment variables.
Tracked it down to this PR: #8419.
I don't know if this is a specific need around MFA but checking only for
role_arn
attribute is not enough to trigger "manual" assume role.Maybe @maksyms can comment as the PR author.
To Reproduce
Steps to reproduce the behavior, for example:
role_arn
Expected behavior
Unless MFA is needed,
asp
should only set AWS_PROFILE environment variablesDesktop (please complete the following information):
The text was updated successfully, but these errors were encountered: