From df543cd12640be3842239ed7c4caf4a507cebb29 Mon Sep 17 00:00:00 2001 From: Lucas Almeida Date: Sat, 16 Aug 2025 17:21:13 -0300 Subject: [PATCH 1/3] fix: handle unchained credential sources --- vault/vault.go | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/vault/vault.go b/vault/vault.go index 7cec45b1e..b5529dc8b 100644 --- a/vault/vault.go +++ b/vault/vault.go @@ -254,23 +254,10 @@ func (t *TempCredentialsCreator) getSourceCredWithSession(config *ProfileConfig, return nil, err } - if hasStoredCredentials || !config.HasRole() { - if canUse, reason := t.canUseGetSessionToken(config); !canUse { - log.Printf("profile %s: skipping GetSessionToken because %s", config.ProfileName, reason) - if !config.HasRole() { - return sourcecredsProvider, nil - } - } - t.chainedMfa = config.MfaSerial - log.Printf("profile %s: using GetSessionToken %s", config.ProfileName, mfaDetails(false, config)) - sourcecredsProvider, err = NewSessionTokenProvider(sourcecredsProvider, t.Keyring.Keyring, config, !t.DisableCache) - if !config.HasRole() || err != nil { - return sourcecredsProvider, err - } - } + isChainedCredentialSource := config.ChainedFromProfile != nil - if config.HasRole() { - isMfaChained := config.MfaSerial != "" && config.MfaSerial == t.chainedMfa + if config.HasRole() && !isChainedCredentialSource { + isMfaChained := config.SourceProfile != nil && config.MfaSerial == config.SourceProfile.MfaSerial if isMfaChained { config.MfaSerial = "" } @@ -278,7 +265,7 @@ func (t *TempCredentialsCreator) getSourceCredWithSession(config *ProfileConfig, return NewAssumeRoleProvider(sourcecredsProvider, t.Keyring.Keyring, config, !t.DisableCache) } - if isMasterCredentialsProvider(sourcecredsProvider) { + if isMasterCredentialsProvider(sourcecredsProvider) || isChainedCredentialSource { canUseGetSessionToken, reason := t.canUseGetSessionToken(config) if canUseGetSessionToken { t.chainedMfa = config.MfaSerial From 773d7b6b015011e7ad19a24e6bc446cf5194ae16 Mon Sep 17 00:00:00 2001 From: Lucas Almeida Date: Sat, 16 Aug 2025 22:54:32 -0300 Subject: [PATCH 2/3] fix: return if cannot use GetSessionToken in chained methods to avoid prompting source mfa --- vault/vault.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/vault/vault.go b/vault/vault.go index b5529dc8b..13dfa4e53 100644 --- a/vault/vault.go +++ b/vault/vault.go @@ -267,12 +267,13 @@ func (t *TempCredentialsCreator) getSourceCredWithSession(config *ProfileConfig, if isMasterCredentialsProvider(sourcecredsProvider) || isChainedCredentialSource { canUseGetSessionToken, reason := t.canUseGetSessionToken(config) - if canUseGetSessionToken { - t.chainedMfa = config.MfaSerial - log.Printf("profile %s: using GetSessionToken %s", config.ProfileName, mfaDetails(false, config)) - return NewSessionTokenProvider(sourcecredsProvider, t.Keyring.Keyring, config, !t.DisableCache) + if !canUseGetSessionToken { + log.Printf("profile %s: skipping GetSessionToken because %s", config.ProfileName, reason) + return sourcecredsProvider, nil } - log.Printf("profile %s: skipping GetSessionToken because %s", config.ProfileName, reason) + t.chainedMfa = config.MfaSerial + log.Printf("profile %s: using GetSessionToken %s", config.ProfileName, mfaDetails(false, config)) + return NewSessionTokenProvider(sourcecredsProvider, t.Keyring.Keyring, config, !t.DisableCache) } return sourcecredsProvider, nil From efc36b8035be7b978070ccb141ac65b29ce16aea Mon Sep 17 00:00:00 2001 From: Lucas Almeida Date: Sat, 16 Aug 2025 23:06:02 -0300 Subject: [PATCH 3/3] style: reverting to the original way to verify if is chainedMfa --- vault/vault.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/vault.go b/vault/vault.go index 13dfa4e53..450fea591 100644 --- a/vault/vault.go +++ b/vault/vault.go @@ -257,7 +257,7 @@ func (t *TempCredentialsCreator) getSourceCredWithSession(config *ProfileConfig, isChainedCredentialSource := config.ChainedFromProfile != nil if config.HasRole() && !isChainedCredentialSource { - isMfaChained := config.SourceProfile != nil && config.MfaSerial == config.SourceProfile.MfaSerial + isMfaChained := config.MfaSerial != "" && config.MfaSerial == t.chainedMfa if isMfaChained { config.MfaSerial = "" }