Does not work with aws-okta or aws-vault
argais opened this issue · 6 comments
These two tools allow you to save your credentials in the keychain instead of the plain text file in .aws/credentials, and they work just fine with other apps that use the aws go sdk.
But whenever I try to use saw with them I get:
➜ aws-okta exec myprofile -- saw groups
panic: SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::REDACTED:role/secondary-role, source profile has no shared credentials
goroutine 1 [running]:
github.com/TylerBrock/saw/vendor/github.com/aws/aws-sdk-go/aws/session.Must(0x0, 0x156ea60, 0xc4200693b0, 0x0)
/Users/tbrock/Code/Go/src/github.com/TylerBrock/saw/vendor/github.com/aws/aws-sdk-go/aws/session/session.go:274 +0x54
github.com/TylerBrock/saw/blade.NewBlade(0x17a8fc0, 0x17a8840, 0x0, 0x4)
/Users/tbrock/Code/Go/src/github.com/TylerBrock/saw/blade/blade.go:49 +0x16a
github.com/TylerBrock/saw/cmd.glob..func3(0x17a3620, 0x17c6788, 0x0, 0x0)
/Users/tbrock/Code/Go/src/github.com/TylerBrock/saw/cmd/groups.go:19 +0x46
github.com/TylerBrock/saw/vendor/github.com/spf13/cobra.(*Command).execute(0x17a3620, 0x17c6788, 0x0, 0x0, 0x17a3620, 0x17c6788)
/Users/tbrock/Code/Go/src/github.com/TylerBrock/saw/vendor/github.com/spf13/cobra/command.go:766 +0x2c1
github.com/TylerBrock/saw/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x17a3880, 0x0, 0x14edded, 0x23)
/Users/tbrock/Code/Go/src/github.com/TylerBrock/saw/vendor/github.com/spf13/cobra/command.go:852 +0x30a
github.com/TylerBrock/saw/vendor/github.com/spf13/cobra.(*Command).Execute(0x17a3880, 0xc420147f78, 0xc42009c058)
/Users/tbrock/Code/Go/src/github.com/TylerBrock/saw/vendor/github.com/spf13/cobra/command.go:800 +0x2b
main.main()
/Users/tbrock/Code/Go/src/github.com/TylerBrock/saw/saw.go:10 +0x2d
exit status 2
Lemme know if I can provide any other info.
Thanks for reporting this. I've never used aws-vault or okta so I apologize for it not working straight away. Shouldn't be too tough to figure out though.
Was just reading about this a bit, can you describe your configuration a little bit more?
In the aws-vault
docs it says for you profile to assume a role your ~/.aws/config should look something like what they have here where read-only is the source
profile and admin
is the one having elevated privileges.
In your case I'd expect an entry for myprofile
and one for secondary-role
that references myprofile
as the source. I'm new to aws-vault
so forgive me if this is not on target but do you have something like that in your config?
aws-okta works fine for me together with saw. Lil wrapper in my .bashrc
and instantly worked.
function saw {
aws-okta exec "myprofile" -- saw "$@"
}
Works fine for me with aws-vault. Nothing special, just
aws-vault exec <profile> -- saw ...