-
Notifications
You must be signed in to change notification settings - Fork 817
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: make --ecs-server
the default --server
behaviour
#572
Comments
Does that mean the the default |
Any tool using the SDK should be supported. It would be good to understand what tools won't support it, do you have examples? I was thinking the --ec2-server flag would stay |
@mtibben It seems the functionality is not working as expected: fedora31 (aws:none)(kc:none)$ aws-vault exec --ecs-server dev-ro
fedora31 (aws:dev-ro)(kc:dev-ro)$ aws sts get-caller-identity
Enter token for arn:aws:iam::************:mfa/noel.georgi: 615244
Error when retrieving credentials from container-role: Error retrieving metadata: Received error when attempting to retrieve ECS metadata: Read timeout on endpoint URL: "http://127.0.0.1:64434"
fedora31 (aws:hcap-dev-ro)(kc:hcap-dev-ro)$ 615244
bash: 615244: command not found |
@mtibben I have seen some issues with my testing of
# frozen_string_literal: true
require 'aws-sdk-core'
p Aws::STS::Client.new().get_caller_identity Traceback (most recent call last):
20: from test.rb:5:in `<main>'
19: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-sts/client.rb:1694:in `get_caller_identity'
18: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/seahorse/client/request.rb:70:in `send_request'
17: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/seahorse/client/plugins/response_target.rb:23:in `call'
16: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/response_paging.rb:10:in `call'
15: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/param_converter.rb:24:in `call'
14: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in `call'
13: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'
12: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'
11: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/param_validator.rb:24:in `call'
10: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/seahorse/client/plugins/endpoint.rb:45:in `call'
9: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/endpoint_discovery.rb:78:in `call'
8: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/endpoint_pattern.rb:28:in `call'
7: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/user_agent.rb:11:in `call'
6: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/query/handler.rb:28:in `call'
5: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/retry_errors.rb:350:in `call'
4: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in `call'
3: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/transfer_encoding.rb:24:in `call'
2: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/signature_v4.rb:65:in `call'
1: from /Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/signature_v4.rb:123:in `apply_signature'
/Users/ngeorgi/.rbenv/versions/2.5.7/lib/ruby/gems/2.5.0/gems/aws-sdk-core-3.94.0/lib/aws-sdk-core/plugins/signature_v4.rb:72:in `sign_request': unable to sign request without credentials set (Aws::Errors::MissingCredentialsError) This code would otherwise work with So I think it may break many applications/sdk where it's not set to use ECS credentials by default |
Looks like the following AWS SDKs do not currently support
@frezbo are you sure |
Dang that's a shame. It's been working great for me so far with go |
@jstewmon does that mean |
In my experience, such discrepancies in the credential providers are unintentional, and AWS accept PRs to bring continuity. Yes, they all support |
@jstewmon Terraform works fine. Version: |
Hmm should we support |
@mtibben We should first fix the issue with i guess we can add |
I think the EC2 server covers that use-case pretty well though? I'm more excited to get the root-less server, so maybe we stick with |
Yeh, I can raise a PR with the ruby sdk |
@frezbo thanks for confirming terraform is working 🙏 It looks like hashicorp/aws-sdk-go-base#5 made this possible in terraform 🎉 |
@frezbo for the e.g. on macOS We need to document this better or display a warning when server is used without a prompt |
@mtibben That seeems a usabiliy issue, the |
(aws:none)(kc:none)(git:RD-2485)$ aws-vault exec --ecs-server --prompt=osascript dev-ro
(aws:dev-ro)(kc:dev-ro)(git:RD-2485)$ aws sts get-caller-identity
Error when retrieving credentials from container-role: Error retrieving metadata: Received error when attempting to retrieve ECS metadata: Read timeout on endpoint URL: "http://127.0.0.1:57018" So if I take time to type in the MFA it throws this error and the first command fails, the error occurs after the command execution. I'm not sure why I need to set the prompt, why can't it do the sam thing as the Sorry, just pointing out usability issues. server mode
it seems the UX for the plain |
Yeah that's only because SDK timeouts for the ec2 server are very aggressive, so we do the first credential load up-front. ECS is currently doing it on-demand Remember the creds getting generated are only temporary. The MFA session needs to be re-authed, so needs a non-terminal prompt, as the terminal likely has another process running in the foreground. Agree this needs better UX, feel free to PR a proposal, the code there should be pretty understandable |
@frezbo 's log here #572 (comment) shows another case where the current behavior of This has come up in the past, see #222 (comment) . Suggesting I think it makes more sense to remove (I'm not suggesting removing the ability to do |
So we're on the same page, currently
When you Creating a stand-alone credential "server" would be expected to be non-interactive, so not sure we could use it for interactive prompts. Plus it would be a second stand-alone process to manage, but this time with access to credentials which would be a security concern |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
#556 introduced the ECS server, and it has many advantages. I think we should just make it the default
--server
behaviour for the improved UX and major security improvementsThe text was updated successfully, but these errors were encountered: