Error "source profile has no shared credentials" when AWS_PROFILE is set

[jonscheiding]

Environment

Windows 10, PowerShell

Steps to Reproduce

Make your ~/.aws/config look something like this:

[profile master]
region=us-east-1
mfa_serial=arn:aws:iam::000000000000:mfa/jonscheiding

[profile development]
source_profile=master
role_arn=arn:aws:iam::111111111111:role/DevelopmentAccountRole

[profile production]
source_profile=master
role_arn=arn:aws:iam::222222222222:role/ProductionAccountRole

Run aws-vault with the AWS_PROFILE environment variable set:

PS> $Env:AWS_PROFILE="development"
PS> aws-vault exec $Env:AWS_PROFILE --json

Actual Result

Error message:

2019/08/19 09:17:59 ERROR: failed to create session with AWS_SDK_LOAD_CONFIG enabled. Use session.NewSession to handle errors occurring during session creation. Error: SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::111111111111:role/DevelopmentAccountRole, source profile has no shared credentials
aws-vault: error: Failed to get credentials for master (source profile for development): SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::111111111111:role/DevelopmentAccountRole, source profile has no shared credentials

The Go SDK appears to take the AWS_PROFILE setting into account when it goes to STS for credentials. (Here?).

Expected Result

I would think that, before requesting credentials from STS, the AWS_PROFILE variable should either be unset, or set to the source_profile value from the profile that's being used.

Context

I'm trying to incorporate aws-vault into my existing workflow because we've started enforcing MFA on our accounts, and certain command-line tools don't support prompting for a code.

My existing workflow involves an ~/.aws/config file like the above, account federation, a tool I made that manages the AWS_PROFILE environment variable, and some PowerShell aliases that look basically like this:

function Invoke-AWS {
  $AWS = (Get-Command -CommandType Application aws)
  aws-vault exec $Env:AWS_PROFILE -- $AWS $args
}

New-Alias aws Invoke-AWS

So my normal workflow will ideally look something like this:

PS> awsp
Press Delete to clear your profile setting.
Press Escape to cancel.
  0 master
* 1 development
  2 production
Setting profile for current shell to 'certica/dev'.
Updating user environment variable to persist profile setting.
PS> aws sts get-caller-identity
{
    "Account": "111111111111",
    "UserId": "ABCDEFGHIJKLMNOPQRSTW:1111222233334444555",
    "Arn": "arn:aws:sts::111111111111:assumed-role/DevelopmentAccountRole/1111222233334444555"
}

Is there a better way to set this up?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jonscheiding]

This is still happening! I have to maintain wrapper scripts that unset the AWS_PROFILE variable before calling aws-vault.

Even if there won’t be a fix for this, I’d love some feedback and suggestions of how I could set up my workflow better, or even just an acknowledgment of the issue.

[mtibben]

I can reproduce when AWS_SDK_LOAD_CONFIG=1 is set. Fixed in v5.3.1 (1ce3655)