Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect to KMS encrypted session when using credential_process in .aws/config #92

Open
DougManton opened this issue Mar 11, 2024 · 3 comments
Open

Unable to connect to KMS encrypted session when using credential_process in .aws/config #92

DougManton opened this issue Mar 11, 2024 · 3 comments

Comments

@DougManton
Copy link

I'd really appreciate your help to find the root cause for a problem authenticating sessions when using session-manager-plugin in combination with KMS session encryption and an external credential_process.

Steps to Reproduce

  1. Windows using latest aws-cli and session-manager-plugin
  2. Use a credential process such as aws-sso-cli to create authentication profiles in the format:
[profile myprofile]
credential_process = c:\aws-sso-cli\aws-sso-cli.exe -u open-url-in-container -S "Default" process --arn arn:aws:iam::123456789:role/myrole
region = us-east-1
  1. Launch an aws ssm session: aws ssm start-session --profile myprofile --target mi-1234567890abcd
  2. Observe an error when session-manager-plugin attempts to call KMS after starting the session:
Starting session with SessionId: [email protected]
Level=fatal msg="'\"Default\"'  is not a valid AWS SSO Instance\"

SessionId: [email protected] :
----------ERROR-------
Encountered error while initiating handshake.  KMSEncryption failed on client with status 2 error: Failed to process activation KMSEncryption: Error calling KMS GenerateDataKey API: ProcessProvider ExecutionError: error in credential_process caused by: exit status 1

Workarounds

  • Hand-edit .aws/config to remove the quotes from the session profile credential_process entry
    • Regresses when aws-sso automatically regenerates the config file when user profile assignments are refreshed
  • Removing KMS encyrption avoids the error and the SSM session is able to connect
    • Non-compliant with corporate security policy

Thoughts on Problem

  • This problem doesn't appear when using any aws cli command directly: the main aws cli passes the arguments to the credential_process without any modification and it works. That includes calls to "aws ssm" such as starting the PortForwarding document. Hence raising against the session-manager-plugin as the only component affected by the problem
  • Something is escaping quotes present in the .aws/config before calling the credential_process, which means the credential_process receives \"Default\" instead of "Default", and has no profile named \"Default\" causing the failure
@yuting-fan
Copy link
Contributor

Hi @DougManton ,

The credentials used by KMS encryption are passed from AWS CLI to the Session Manager plugin. What is the version of AWS CLI you are using? There was a fix done in AWS CLI to correctly pass the credential profile down, and it was released in AWS CLI v2.35.61 and v1.32.116. If you continue to see issues after upgrading to the latest version, please let us know for further investigation.

Regards,
Yuting

@brad-jones
Copy link

FWIW just modify the generated output of aws-sso config-profiles from -S "Default" to -S Default.
It solved a similar issue I had with a terraform stack.

@jonBerg24
Copy link

It also happens when you use an sso-session whose name contains whitespaces as the profile's credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brad-jones @jonBerg24 @DougManton @yuting-fan