Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assume a role with AWS-vault termporary credentials #1252

Open
teto opened this issue Aug 14, 2024 · 5 comments
Open

assume a role with AWS-vault termporary credentials #1252

teto opened this issue Aug 14, 2024 · 5 comments

Comments

@teto
Copy link

teto commented Aug 14, 2024

I think I lack knowledge about how AWS works. This might be a generic AWS question but also could be worth making clearer.

I have a role ROLE I successfully assume with

$ aws-vault exec --no-session sandbox aws sts assume-role --role-arn "arn:aws:iam::REDACTED:role/redacted" --role-session-name toto
....
SUCCESSFUL_RESULT
....

now if I run the ~same (without --no-session) command from a aws-vault exec sandbox aws sts assume-role --role-arn "arn:aws:iam::REDACTED:role/redacted" --role-session-name toto

I get

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::REDACTED:user/redacted is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::REDACTED:role/redacted

arn:aws:iam::REDACTED:user/redacted IS allowed to assume the role since outside aws-vault it works. Apparently aws-vault gets me into a special kind of session for my own user (short term credentials) https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html that could limit my capabilities to assume a role ?
Reading the doc https://github.com/99designs/aws-vault/blob/master/USAGE.md#session-duration (and the aws official one) I could not find anything about these limitations . did I miss anything in my IAM configuration or is this an aws-vault fault ? would it work with mfa ?
@karlkovaciny
Copy link

This error also seems to be blocking me from using AWS Vault to provide SSO credentials to Docker as described in https://github.com/99designs/aws-vault/blob/master/USAGE.md#docker.

@seldon007
Copy link

seldon007 commented Sep 27, 2024
edited
Loading

You can assume the role as part of your aws-vault profile setup e.g.

[profile sandbox]
mfa_serial=arn:aws:iam::xxxxxx:mfa/my-user
role_arn=arn:aws:iam::xxxxxx:role/REDACTED

then you should have assumed it via stort term credentitals
aws-vault --debug exec sandbox -- aws sts get-caller-identity

It that does not work, you need to look at your iam user/role configuration

@teto
Copy link
Author

teto commented Oct 11, 2024

I found out after posting that mfa is mandatory to be able to assume the roles (though nothing in AWS errors indicate that).
This is pretty annoying with some software though, for instance https://k8slens.dev/ keeps asking about MFA because I think it creates a new AWS request every ~10sec and aws-vault doesn't seem to cache the credentials so it reprompts for MFA. Is there a trick around it ? It made me disable aws-vault but I would rather reenable it.

@seldon007
Copy link

The above configuration caches my short term credentials for 1 hour (and maybe maximum for short term creds). I only use MFA when getting the initials credentials then again when they expire.
It is most likely IAM policies on your aws account that needs to be fixed.

@seldon007
Copy link

I don't think AWS STS requires MFA unless you define it in your IAM Policies. You should remove mfa_serial from aws-vault if you don't need mfa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@teto @seldon007 @karlkovaciny