Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-vault] Simultaneous support for aws-vault v4 and v5 #579

Merged
merged 1 commit into from
Apr 24, 2020
Merged

[aws-vault] Simultaneous support for aws-vault v4 and v5 #579

merged 1 commit into from
Apr 24, 2020

Conversation

Nuru
Copy link
Contributor

@Nuru Nuru commented Apr 24, 2020

what

  • [aws-vault] Simultaneous support for aws-vault v4 and v5
  • [helmfile] update to v0.111.0
  • Update other tools per cloudposse/packages

why

  • aws-vault released a major upgrade, going from version 4 to version 5, and in the process, seems to have broken support for long-lived assumed roles. See 532 and 552 for example issues. However, due to breaking changes in v5, Geodesic dropped support for v4 in Update to helm 3, aws-vault 5 #546, making it impossible for people to revert to the working version 4. This PR restores support for v4 while maintaining support for v5. See further details below.
  • Multiple helmfile bug fixes
  • Standard update procedures

further information about aws-vault

While aws-vault defined some environment variables to be used for configuring its behavior, Geodesic preferred to use its own variables starting with AWS_VAULT to avoid confusion with official AWS SDK configuration variables. In the past, these variables were converted to command-line arguments in order to keep the aws-vault variables out of the environment entirely.

With this PR, we still suggest setting the AWS_VAULT_* variables to configure aws-vault:

  • AWS_VAULT_ASSUME_ROLE_TTL: Expiration time for the AssumeRole credentials
  • AWS_VAULT_SESSION_TTL: Length of time before you have to login again
  • AWS_VAULT_CHAINED_SESSION_TOKEN_TTL: Expiration time for the GetSessionToken credentials when chaining profiles (aws-vault version 5 only)
    If you set these variables and also have not set AWS_VAULT_ENABLED=false, then these variables will be converted to the appropriate environment variables for the version of aws-vault you have installed.

As has been the case for some time, Geodesic sets

AWS_VAULT_ASSUME_ROLE_TTL=1h
AWS_VAULT_SESSION_TTL=12h

and as of this PR, AWS_VAULT_CHAINED_SESSION_TOKEN_TTL defaults to the value of AWS_VAULT_SESSION_TTL.

If you want to use aws-vault version 4, you can add this line to your Dockerfile:

apk add -u aws-vault@cloudposse~=4

@Nuru Nuru requested a review from osterman April 24, 2020 22:34
@github-actions github-actions bot added the shell label Apr 24, 2020
osterman
osterman approved these changes Apr 24, 2020
View reviewed changes
Copy link
Member

@osterman osterman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rabbit Hole

@Nuru Nuru merged commit fc1ffcf into master Apr 24, 2020
@Nuru Nuru deleted the aws-vault branch April 24, 2020 22:51
leb4r pushed a commit that referenced this pull request Jan 25, 2022
@cloudpossebot @osterman
Update yq to 3.4.1 (#579)
c90af9f 
Co-authored-by: osterman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@osterman osterman osterman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Nuru @osterman