SecretService backend - prompts for new secrets' DB while using KeepassXC

[WojciechRydel]

• I am using the latest release of AWS Vault
• I have provided my .aws/config (redacted if necessary)
• I have provided the debug output using aws-vault --debug (redacted if necessary)

aws-vault --debug output

2023/05/30 11:33:53 aws-vault v7.2.0
2023/05/30 11:33:53 Using prompt driver: zenity
2023/05/30 11:33:53 Using AWS_CONFIG_FILE value: /xx/.config/aws/config
2023/05/30 11:33:53 Loading config file /home/voytech/.config/aws/config
2023/05/30 11:33:53 Parsing config file /home/voytech/.config/aws/config
2023/05/30 11:33:53 [keyring] Considering backends: [secret-service]
2023/05/30 11:33:53 Profile 'default' missing in config file
2023/05/30 11:33:53 profile xxx: using SSO role credentials
2023/05/30 11:33:53 Setting subprocess env: AWS_REGION=eu-west-1, AWS_DEFAULT_REGION=eu-west-1
2023/05/30 11:33:54 Created new OIDC client (expires at: 2023-08-28 11:33:54 +0200 CEST)
2023/05/30 11:33:54 Created OIDC device code for https://xx.awsapps.com/start (expires in: 600s)
2023/05/30 11:33:54 Opening SSO authorization page in browser
Opening the SSO authorization page in your default browser (use Ctrl-C to abort)
https://device.sso.eu-west-1.amazonaws.com/?user_code=xxx
2023/05/30 11:34:00 Created new OIDC access token for https://xx.awsapps.com/start (expires in: 28581s)

I am using KeepassXC as the SecretService underhood. Every execution of e.g. secret-tool lookup xx yy calls KeepassXC to retrieve secret.

When I configure aws-vault to use SecretService as its backend, each time I want to store some value, I am prompted to create a new KeepassXC database.

[Knud3]

Same problem here.

aws-vault --debug exec profile -- thing
2023/06/15 15:28:49 aws-vault v7.2.0
2023/06/15 15:28:49 Using prompt driver: terminal
2023/06/15 15:28:49 Loading config file /home/me/.aws/config
2023/06/15 15:28:49 Parsing config file /home/me/.aws/config
2023/06/15 15:28:49 [keyring] Considering backends: [secret-service]
2023/06/15 15:28:49 profile profile: using credential process
2023/06/15 15:28:49 Setting subprocess env: AWS_REGION=eu-west-1, AWS_DEFAULT_REGION=eu-west-1

As workaround AWS_VAULT_FILE_PASSPHRASE="" aws-vault --backend=file exec profile -- thing can be used.

[simkli]

We have two issues here. First, aws-vault tries to create new collection (KeepassXC database) if a collection called aws-vault doesn't exist. We can fix it by adding the --secret-service-collection to the command. The collection for KeepassXC is the name of your database without the file extension. If you password database is password.kdbx the flag would be called aws-vault --secret-service-collection password. (There are some quirks. E.g. a hyphen in the filename would be escaped).

Now the prompt is working, but aws-vault freezes afterwards. There's another bug in the go-libsecret library causing this: gsterjov/go-libsecret#5

To get it working we can use the patch from @Neverous. (thanks by the way 😁 )

1. Clone the aws-vault repository
2. Add the following to the end of the go.mod file:

replace (
	github.com/gsterjov/go-libsecret => github.com/Neverous/go-libsecret v0.0.0-20230212130815-609c8590032b
)

3. Run go build

Now aws-vault should work with KeepassXC if you use it as follows
aws-vault --secret-service-collection YOUR_KEEPASSXC_DATABASE_FILENAME_WITHOUT_EXTENSION

I recommend adding this command as an alias.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[Knud3]

Still using totally unmaintained go-libsecret

aws-vault/go.mod

Line 35 in e22aea1

github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect

Related to automatically staled and closed #904 (comment)