Can't use --prompt=terminal with --ec2-server

[FernandoMiguel]

~$ aws-vault --debug exec dev --ec2-server
2022/03/10 10:51:03 aws-vault v6.6.0
2022/03/10 10:51:03 Loading config file /Users/fernando/.aws/config
2022/03/10 10:51:03 Parsing config file /Users/fernando/.aws/config
2022/03/10 10:51:03 [keyring] Considering backends: [keychain]
aws-vault: error: exec: Can't use --prompt=terminal with --ec2-server. Specify a different prompt driver

$ aws-vault --version
v6.6.0

[mtibben]

Hey @FernandoMiguel, this is because the ec2/ecs server mode of exec needs to be able to refresh credentials from the background aws-vault process asynchronously, while the terminal prompt can only receive input synchronously and needs to interrupt the foreground process leading to a poor/broken UX.

So I'm really not sure how to handle terminal input when using a server, do you have any thoughts or ideas?

[FernandoMiguel]

No idea. Was fine yesterday. It's broken today.
All I need is for server to work as deamon so stuff like vscode can plug into EKS.
I have no need for terminal input here... Just the deamon

[mtibben]

@FernandoMiguel ah so it's the "default" as terminal that is the problem

[mtibben]

I assume you can specify a different prompt value to get things working

[FernandoMiguel]

@FernandoMiguel ah so it's the "default" as terminal that is the problem

Just regular vanilla iTerm2.
Nothing fancy about it, and no recent update there.
Something changed with aws vault and no warning on the changelog.

[mtibben]

I mean you can specify a different prompt value (e.g. aws-vault exec --prompt=osascript) to work around the issue

[FernandoMiguel]

I'll give ir a try.

That will make this a much longer command to run every time. Easy to forget and have problems again.
And hard for discovery, making it less intuitive for other users.

[mtibben]

yeah we should sort out a better default

[FernandoMiguel]

$ aws-vault  --debug exec dev --prompt=osascript --server
2022/03/11 11:10:19 aws-vault v6.6.0
2022/03/11 11:10:19 Loading config file /Users/fernando/.aws/config
2022/03/11 11:10:19 Parsing config file /Users/fernando/.aws/config
2022/03/11 11:10:19 [keyring] Considering backends: [keychain]
2022/03/11 11:10:19 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"

that seems to work fine.
what can we do to fix this in aws-vault natively, and avoid and extra parameter that wasn't needed a week ago?

thanks for the help!

[danwashusen]

This breaking change is a bummer - we use aws-vault within a docker container, 'terminal' is the only option...

So I'm really not sure how to handle terminal input when using a server, do you have any thoughts or ideas?

Could it not just work the way it used to? Ask for 2FA input at launch then start erroring when re-auth in required...

[pdehlke]

Bump. I'm with @danwashusen here. This breaks terribly in places where 'terminal' is the only viable option.

[pdehlke]

so... nothing on this?

[ChristopherHackett]

My understanding the "breaking change" was the introduction pre server start check to see if --ec2-server will be able to later re-request an MFA code.

v6.5.0...v6.6.0#diff-70819234fda619d5e21380c6721d9c61a32ef46edb6092e117800926fc169cf3R52-R60

Without this check the user is at risk of starting a sever that will not be able to do what its suppose to do (keep the creds refreshed). Effectively the error path is been highlighted to the user at the point of invoking aws-vault instead of in the future.

It feels the change made is in the right direction but some use cases hadn't been considered. The correct resolution doesn't feel like just rolling back the change.

@FernandoMiguel, @danwashusen and @pdehlke: In your use cases are you using 2FA? . If you are then my view is an explicit optin from the user really needs be made to bypass the above check (maybe terminal-once or something. If you are not using 2FA then it might be worth making a change if possible to detect that no MFA is in use and so allowing the terminal prompt to be used.

[FernandoMiguel]

we are using aws sso (with azure AD). so no MFA

[mtibben]

This breaking change is a bummer - we use aws-vault within a docker container, 'terminal' is the only option...

So I'm really not sure how to handle terminal input when using a server, do you have any thoughts or ideas?

Could it not just work the way it used to? Ask for 2FA input at launch then start erroring when re-auth in required...

The whole point of --ec2-server and --ecs-server is to refresh credentials asynchronously in the background. If you don't need that refreshing behaviour, why are you using --ec2-server and --ecs-server?

[FernandoMiguel]

Yay