Comments (2)
andymac4182
commented on June 6, 2024
This would be great as I am having issues using this with Granted https://github.com/common-fate/granted where it sets the environment variables including AWS_PROFILE causing gossm to attempt to use the SSO credentials instead of the environment variables that it would normally do under the AWS SDK.
Looks like someone else tried to fix this for their use case as well tedsmitt@1ec2768 @tedsmitt
from gossm.
jaymecd
commented on June 6, 2024
Similar problem here, it seems extended profile is not supported.
I have 1 user profile source and role profile target configured in custom file locations.
export AWS_CONFIG_FILE=/Users/jaymecd/ws/my-project/.local/aws/config
export AWS_SHARED_CREDENTIALS_FILE=/Users/jaymecd/ws/my-project/.local/aws/credentials- content of
$AWS_SHARED_CREDENTIALS_FILEfile:[source] # user that only has permission to assume "target" role aws_access_key_id = AKIA....... aws_secret_access_key = .........
- content of
$AWS_CONFIG_FILEfile:[profile source] role_session_name = source region_name = eu-central-1 [profile target] role_session_name = target source_profile = source role_arn = arn:aws:iam::111222333444:role/TargetRole region_name = eu-central-1
Running start with target profile - unexpected behaviour - profile is not detected:
$ time gossm start -p target
[Expire] gossm default mfa credential file /Users/jaymecd/ws/my-project/.local/aws/credentials
[err] [err][cmd.initConfig:217] failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: host is down
real 0m12.052s
user 0m0.020s
sys 0m0.024sRunning start with source profile (allowed only to assume target role) - expected behaviour - granted sts:AssumeRole permission only:
$ time gossm start -p source
region (eu-central-1)
[err] operation error SSM: DescribeInstanceInformation, https response error StatusCode: 400, RequestID: 14718550-65ca-4742-8f6f-4c7721ac35b2, api error AccessDeniedException: User: arn:aws:iam::111222333444:user/source is not authorized to perform: ssm:DescribeInstanceInformation on resource: arn:aws:ssm:eu-central-1:111222333444:* because no identity-based policy allows the ssm:DescribeInstanceInformation action
real 0m0.345s
user 0m0.025s
sys 0m0.035sHowever, AWS CLI runs correctly and resolves extended profile:
$ aws sts get-caller-identity --profile source
{
"UserId": "AIDA...",
"Account": "111222333444",
"Arn": "arn:aws:iam::111222333444:user/source"
}
$ aws sts get-caller-identity --profile target
{
"UserId": "AROA...:target",
"Account": "111222333444",
"Arn": "arn:aws:sts::111222333444:assumed-role/TargetRole/target"
}UPD: discovered that AWS SDK effectively handles credentials lookup by default.
Just need to declare session as sess := session.Must(session.NewSession()) and provide AWS_SDK_LOAD_CONFIG=true envvar, so SDK parses $AWS_CONFIG_FILE as well.
Or simulate this logic using SharedConfigFiles option.
from gossm.
Related Issues (20)
- Cloud security
- Feature Request: SSO auth HOT 2
- Extend support to ECS exec HOT 1
- Ability to connect to an instance via "Name" tag. HOT 3
- authenticate with aws credential_process HOT 1
- get EOF error with fish shell and oh-my-fish HOT 2
- Document Permissions Required for gossm HOT 1
- AWS_SHARED_CREDENTIALS_FILE Overwritten By Default HOT 6
- Something like this for K8S would be awesome HOT 1
- FilterLimitExceeded: The maximum number of filter values specified on a single call is 200 HOT 1
- Brew upgrade states a deprecation HOT 2
- The UI is broken when running k9s on the server connected using gossm. HOT 1
- Not working for hybrid images HOT 2
- ssh and scp not working using GOSSM
- Feature Request: Support for StartPortForwardingSessionToRemoteHost HOT 1
- [err] Incorrect function. when running on windows 10
- Feature Request: Support for Amazon ECS Exec to access containers on AWS Fargate and Amazon EC2 HOT 2
- session-manager-plugin incorrect arch for arm64
- Could you release a newer version?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gossm.