Skip to content

Fix credential method selection for chained vs non-chained MFA#86

Closed
propilideno wants to merge 3 commits intoByteNess:mainfrom
propilideno:master
Closed

Fix credential method selection for chained vs non-chained MFA#86
propilideno wants to merge 3 commits intoByteNess:mainfrom
propilideno:master

Conversation

@propilideno
Copy link

@propilideno propilideno commented Aug 17, 2025

Introduction

After my changes, I notice that I broke some features when I was trying to pass the session duration to my PROFILENAME.

$ avault76 login PROFILENAME -d 8h --debug                    
2025/08/16 16:37:20 aws-vault v7.6.0-rc1
2025/08/16 16:37:20 Using prompt driver: terminal
2025/08/16 16:37:20 [keyring] Considering backends: [secret-service]
2025/08/16 16:37:20 Loading config file /home/***/.aws/config
2025/08/16 16:37:20 Parsing config file /home/***/.aws/config
2025/08/16 16:37:20 profile PROFILENAME: using stored credentials
2025/08/16 16:37:20 profile PROFILENAME: skipping GetSessionToken because sessions are disabled for this profile
2025/08/16 16:37:20 profile PROFILENAME: using GetSessionToken (with MFA)
2025/08/16 16:37:20 profile PROFILENAME: using AssumeRole (chained MFA)
2025/08/16 16:37:20 Re-using cached credentials ****************ICW7 from sts.GetSessionToken, expires in 7h12m54.65693466s
aws-vault: error: login: operation error STS: AssumeRole, https response error StatusCode: 400, RequestID: 2d939bc8-4d67-4019-a676-2b87ed6e3bf8, api error ValidationError: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.

In this example, you can notice that we are dealing it as a (chained MFA), that is not the truth.

Fixed

This problem occurs because the:

aws-vault/vault/vault.go

Lines 344 to 346 in 7500108

if c.ChainedFromProfile.AssumeRoleDuration > roleChainingMaximumDuration {
return false, fmt.Sprintf("duration %s in profile '%s' is greater than the AWS maximum %s for chaining MFA", c.ChainedFromProfile.AssumeRoleDuration, c.ChainedFromProfile.ProfileName, roleChainingMaximumDuration)
}

Notice that previously I was handling both methods as chained credentials, so to use this feature --duration, we must use the right method at the right time

I could get it working in both cases by using NewSessionTokenProvider in the SOURCE profile when we have config.ChainedFromProfile != nil

Cached Credentials

aws-vault/vault/sessionkeyring.go

Lines 103 to 114 in 7500108

func (sk *SessionKeyring) lookupKeyName(key SessionMetadata) (string, error) {
allKeys, err := sk.Keyring.Keys()
if err != nil {
return key.String(), err
}
for _, keyName := range allKeys {
if strings.HasPrefix(keyName, key.StringForMatching()) {
return keyName, nil
}
}
return key.String(), ErrNotFound
}

After debugging, I found it:

 key github.com/99designs/aws-vault/v7/vault.SessionMetadata = vault.SessionMetadata {Type: "sts.GetSessionToken", ProfileName: "PROFILENAME", MfaSerial: "arn:aws:iam::***:mfa/***", Expiration: time.Time(0001-01-01T00:00:00Z){wall: 0, ext: 0, loc: *time.Location nil}}
   Type string = "sts.GetSessionToken"
   ProfileName string = "PROFILENAME"
   MfaSerial string = "arn:aws:iam::***:mfa/***"
  Expiration time.Time = time.Time(0001-01-01T00:00:00Z){wall: 0, ext: 0, loc: *time.Location nil}
    wall uint64 = 0 = 0x0
    ext int64 = 0
    loc *time.Location = *time.Location nil

strings.HasPrefix
  keyName:                 sts.AssumeRole,YWNr,YXJuOmF3czppYW06OjM4MDg2NTgzMDYxNTptZmEZQ,1755390794
  key.StringForMatching(): sts.GetSessionToken,YWNr,YXJuOmF3czppYW06OjM4MDg2NTgzMDYxNTptZmEZQ,

Notice that we only reuse if we use the same sts get credential method,
I tried to bypass it but got a 403 Forbidden. So I'll leave it unchanged, because i cannot find a way to do it better

Conclusion

aws-vault after a login without role chaining

Enter MFA code for arn:aws:iam::***:mfa/***: 
$ aws-vault list

Profile                          Credentials                      Sessions                                        
=======                          ===========                      ========                                        
PROFILENAME                      PROFILENAME                      sts.GetSessionToken:7h59m59s

aws-vault after a login with role chaining

$ aws-vault list

Profile                          Credentials                      Sessions                                        
=======                          ===========                      ========                                        
PROFILENAME                      PROFILENAME                      sts.AssumeRole:59m59s

aws-vault after both

$ aws-vault list

Profile                          Credentials                      Sessions                                        
=======                          ===========                      ========                                        
PROFILENAME                      PROFILENAME                      sts.GetSessionToken:7h59m18s, sts.AssumeRole:59m52s

So, we must provide Enter MFA code for arn:aws:iam::***:mfa/***: for each method.

@propilideno propilideno requested a review from mbevc1 as a code owner August 17, 2025 02:35
@propilideno
Copy link
Author

propilideno commented Aug 17, 2025

Replaced by: #87

@propilideno propilideno mentioned this pull request Aug 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbevc1 mbevc1 Awaiting requested review from mbevc1 mbevc1 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@propilideno