bug: Using credential_process with a yubikey does not prompt with Touch your YubiKey... #160
Description
I have set up aws-vault with my yubikey and it's working fine, but when I issue an aws command and there is no session cached, I don't get prompted to touch my yubikey.
When I call aws-vault directly, I get prompted, as expected, eg:
$ aws-vault export --format=json --prompt=ykman er0k
Touch your YubiKey...
^C
but when calling aws directly, there is no prompt. It just hangs there, and eventually times out:
$ aws sts get-caller-identity
Error when retrieving credentials from custom-process: Touch your YubiKey...
ERROR: Touch account timed out!
aws-vault: error: exec: Failed to get credentials for er0k: process provider: exit status 1
If I touch the yubikey before the timeout it does work, but it can be hard to tell if it's waiting for input from me or AWS is just being slow 😛
My aws config looks like this:
[profile er0k]
mfa_serial=arn:aws:iam::1234567890:mfa/yubivirt
mfa_process = ykman oath accounts code --single arn:aws:iam::1234567890:mfa/yubivirt
credential_process = aws-vault export --format=json --prompt=ykman er0k
I have also tried using the terminal prompt driver instead of ykman, but the behavior is the same.
I've also noticed kubectl (using EKS) does not show the prompt. But docker (using ECR) and terraform (using S3 for state storage) both prompt with Touch your YubiKey... correctly.
Is there any way to get aws and kubectl commands to prompt with Touch your YubiKey... ?
- I am using the latest release of AWS Vault
- I have provided my
.aws/config(redacted if necessary) - I have provided the debug output using
aws-vault --debug(redacted if necessary)