From e040e007f73c32bffb4101a7e4774d4b8a002233 Mon Sep 17 00:00:00 2001
From: Christoph Gysin <christoph.gysin@gmail.com>
Date: Wed, 1 Mar 2023 12:03:22 +0200
Subject: [PATCH] Don't require master credentials for federation token

Fixes #1134
---
 cli/login.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cli/login.go b/cli/login.go
index 4569230a0..739d4e943 100644
--- a/cli/login.go
+++ b/cli/login.go
@@ -106,7 +106,7 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 	} else {
 		// Use a profile from the AWS config file
 		ckr := &vault.CredentialKeyring{Keyring: keyring}
-		if config.HasRole() || config.HasSSOStartURL() {
+		if config.HasRole() || config.HasSSOStartURL() || config.HasCredentialProcess() {
 			// If AssumeRole or sso.GetRoleCredentials isn't used, GetFederationToken has to be used for IAM credentials
 			credsProvider, err = vault.NewTempCredentialsProvider(config, ckr)
 		} else {