-
Notifications
You must be signed in to change notification settings - Fork 820
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
assume a role with AWS-vault termporary credentials #1252
Comments
This error also seems to be blocking me from using AWS Vault to provide SSO credentials to Docker as described in https://github.com/99designs/aws-vault/blob/master/USAGE.md#docker. |
You can assume the role as part of your aws-vault profile setup e.g.
then you should have assumed it via stort term credentitals It that does not work, you need to look at your iam user/role configuration |
I found out after posting that mfa is mandatory to be able to assume the roles (though nothing in AWS errors indicate that). |
The above configuration caches my short term credentials for 1 hour (and maybe maximum for short term creds). I only use MFA when getting the initials credentials then again when they expire. |
I don't think AWS STS requires MFA unless you define it in your IAM Policies. You should remove mfa_serial from aws-vault if you don't need mfa |
I think I lack knowledge about how AWS works. This might be a generic AWS question but also could be worth making clearer.
I have a role ROLE I successfully assume with
now if I run the ~same (without
--no-session
) command from aaws-vault exec sandbox aws sts assume-role --role-arn "arn:aws:iam::REDACTED:role/redacted" --role-session-name toto
I get
arn:aws:iam::REDACTED:user/redacted
IS allowed to assume the role since outside aws-vault it works. Apparently aws-vault gets me into a special kind of session for my own user (short term credentials) https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html that could limit my capabilities to assume a role ?Reading the doc https://github.com/99designs/aws-vault/blob/master/USAGE.md#session-duration (and the aws official one) I could not find anything about these limitations . did I miss anything in my IAM configuration or is this an aws-vault fault ? would it work with mfa ?
The text was updated successfully, but these errors were encountered: