I can only call aws commands in the same terminal window if i use assume --exec -- /bin/bash

[airtonix]

title says it all.

I feel like the docs are misleading.

The promised land is this:

$ assume
... select role
$ aws sts get-caller-identity
... see identity

The reality for me is this :

~
❯ assume                           

? Please select the profile you would like to assume: <SNIPPED>
[i] To assume this profile again later without needing to select it, run this command:
> assume <SNIPPED> 
[✔] [<SNIPPED>](<SNIPPED>) session credentials will expire in 12 hours

~
❯ aws sts get-caller-identity

Unable to locate credentials. You can configure credentials by running "aws configure".

but If i do this:

~
❯ assume --exec --  aws sts get-caller-identity

? Please select the profile you would like to assume: <SNIPPED>  
[i] To assume this profile again later without needing to select it, run this command:
> assume <SNIPPED> --exec -- aws sts get-caller-identity
[✔] [<SNIPPED>](<SNIPPED>) session credentials will expire in 12 hours
{
    "UserId": "<SNIPPED>:Zeno<SNIPPED>@<SNIPPED>",
    "Account": "<SNIPPED>",
    "Arn": "arn:aws:sts::<SNIPPED>:<SNIPPED>"
}

this does not work:

~
❯ assume --export && env | grep AWS

? Please select the profile you would like to assume: <SNIPPED>  
[i] To assume this profile again later without needing to select it, run this command:
> assume <SNIPPED> --export
[✔] [<SNIPPED>](<SNIPPED>) session credentials will expire in 12 hours
[!] No credential suffix found. This can cause issues with using exported credentials if conflicting profiles exist. Run `granted settings export-suffix set` to set one.
[✔] Exported credentials to /home/zenobius/.aws/credentials file as <SNIPPED> successfully

~
❯ aws sts get-caller-identity                   

Unable to locate credentials. You can configure credentials by running "aws configure".

~
❯ echo "THE PROFILE: >>>> $AWS_PROFILE <<<<"
THE PROFILE: >>>>  <<<<

[chrnorm]

Hi @airtonix, could you please confirm that the shell alias is correctly installed? https://docs.commonfate.io/granted/troubleshooting#manually-configuring-your-shell-profile

You’ll want to ensure that the alias is added to a profile file loaded on your shell startup.

[airtonix]

Hi @airtonix, could you please confirm that the shell alias is correctly installed? docs.commonfate.io/granted/troubleshooting#manually-configuring-your-shell-profile

You’ll want to ensure that the alias is added to a profile file loaded on your shell startup.

ok it's there now and starship shows that it can see my aws profile after running assume.

However I now get

~
❯ assume                     

? Please select the profile you would like to assume: <SNIP_MYPROFILENAME>
[i] To assume this profile again later without needing to select it, run this command:
> assume <SNIP_MYPROFILENAME> 
[✔] [<SNIP_MYPROFILENAME>](<SNIP_MYREGIONNAME>) session credentials will expire in 12 hours

~ on ☁️  <SNIP_MYPROFILENAME> (<SNIP_MYREGIONNAME>) 
❯ aws sts get-caller-identity

An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired

[chrnorm]

@airtonix could you please run granted doctor and then select the name of the profile you're having issues with, and post the results here? I suspect you may have a stale token cached in ~/.aws/sso/cache, you can try and clear that directory. If that's the case it seems like we should improve our detection of this within Granted and I'll open an issue to track this.

[jazmon]

Hello, I'm experiencing the same issue (I think).

granted doctor output for me:

➜ granted doctor

[i] Checking your Granted and AWS local configurations to look for common issues...


? Please select the profile you would like to assume: [PROFILE_NAME_OMITTED]
[i] profile selected: [PROFILE_NAME_OMITTED]

[i] profile SSO start URL:

[i] profile region:

[i] Granted doctor will now check the default sso token cache (`~/.aws/sso/cache`), Granted secure storage, and the AWS credentials file to valiate cached tokens.

[i] Checking all cached tokens in secure storage

[!] error retrieving IAM Identity Center token from secure storage: The specified item could not be found in the keyring
[!] [INFO] no cached tokens in secure storage found

[i] Checking commonly found issues in Granted configuration

[!] [INFO] DefaultExportAllEnvVar set to false: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN variables will not be exported to your environment for profiles using credential process. Set this to true if you need this functionality
[i] [RECOMMENDED] Not using Firefox as default browser, we recommend using Firefox to make use of the multi-account containers functionality with Granted.

[✔] Granted Doctor has completed, see diagnostics above

We are not using SSO with AWS and I don't have a ~/.aws/sso/cache folder. We're using a credential_process in ~/.aws/config under the default profile. This has worked in the past.

[chrnorm]

Thanks for the report @jazmon, I am wondering if this could be a recent regression somewhere in the project. Could you please share a copy of the affected profile config from ~/.aws/config? (redacting any account IDs etc). I’d like to try and reproduce this so would like to know if you have MFA etc configured on the profile.

[jazmon]

Additional possible note: assume --exec -- /bin/bash works, assume --exec -- /bin/zsh doesn't (I'm on zsh normally)

[default]
region=us-east-1
credential_process = bash -c "~/.aws/our-script.sh"

[profile my_profile]
role_arn=arn:aws:iam::XXXXXXXXX:role/admin
source_profile=default

The credential process is a script I'm not able to share but it handles fetching the credentials w/ caching (I've removed caches here) and exports AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

[chrnorm]

Additional possible note: assume --exec -- /bin/bash works, assume --exec -- /bin/zsh doesn't (I'm on zsh normally)

[default]
region=us-east-1
credential_process = bash -c "~/.aws/our-script.sh"

[profile my_profile]
role_arn=arn:aws:iam::XXXXXXXXX:role/admin
source_profile=default

The credential process is a script I'm not able to share but it handles fetching the credentials w/ caching (I've removed caches here) and exports AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

Thanks for the info. Just to confirm, does your credential_process adhere to the expected output format?

It should print a JSON like this to stdout:

{
    "Version": 1,
    "AccessKeyId": "an AWS access key",
    "SecretAccessKey": "your AWS secret access key",
    "SessionToken": "the AWS session token for temporary credentials", 
    "Expiration": "RFC3339 timestamp for when the credentials expire"
}  

If so, I should be able to try and replicate this with my own bash script. Also, if you happened to know the version of Granted that this was known to be working for that would be fantastic.

[jazmon]

It does actually output that, I didn't see it initially as it was my first time reading through the script so I missed it within the caching logic