Skip to content

Support for aws-vault exec --server on WSL #1200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support for aws-vault exec --server on WSL #1200

wants to merge 1 commit into from

Conversation

alex-budkar-amplitude
Copy link

@alex-budkar-amplitude alex-budkar-amplitude commented Mar 26, 2023
edited
Loading

Currently when running on WSL the only supported prompt driver is terminal.
Terminal prompt is not compatible with the server mode making it very hard to develop apps in WSL that need to talk to aws.

To workaround the issue we run credentials server on windows host and take advantage of windows cred storage and UX
On WSL linux we run proxy command that talks to the credentials server running on host Because we don't need to run proxy on the windows host we made it optional If proxy is disabled we would not need privilege elevation

On windows:

aws-vault exec --ec2-server --wsl --no-proxy ${PROFILE_NAME}

On linux:

aws-vault proxy --wsl

After that all linux processes will be authenticate through windows host

Security implications:
We only bind to WSL host ip and only accept connections from ips that belong to the WSL network.

Open questions:

  1. It is possible that the user want to be able to connect to run proxy and be able to invoke commands from windows as well, we can bind to localhost in addition to WSL interface
  2. It is plausible that the user would like to be able to aws-vault exec --wsl -- aws s3 ls without running proxy implying that we shall ask wsl host for credentials (It's very convenient when creds server runs on host). It is possible to support that use case.

@alex-budkar-amplitude
Support for aws-vault exec --server on WSL
76ac14b 
Currently when running on WSL the only supported prompt driver is terminal
Terminal prompt is not compatible with the server mode

To workaround we run credentials server on windows host and take advatage of windows creds storage and UX
On WSL linux we run proxy command that talks to the credentials server running on host
Because we don't need to run proxy on the windows host we made it optional
If proxy is disabled we would not need priveledge elevation
@mtibben
Copy link
Member

mtibben commented Mar 26, 2023

Currently when running on WSL the only supported prompt driver is terminal

Can't you install zenity or kdialog?

To workaround the issue we run credentials server on windows host and take advantage of windows cred storage and UX

This seems similar to the docker setup in the USAGE.md.

However the solution you've created in this PR is bespoke to wsl, a hyper-specific solution not really suitable to a general tool.

My suggestions

  1. Use ECS server instead. It's more flexible for this use-case
  2. Set up proxying and networking outside of aws-vault, similar to the docker solution

And then this way you can add this use-case solution to contrib

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alex-budkar-amplitude @mtibben