Linux version of 6.6.0 always complains about specified keyring backend

[SMillerDev]

• I am using the latest release of AWS Vault
• I have provided my .aws/config (redacted if necessary)
• I have provided the debug output using aws-vault --debug (redacted if necessary)

Homebrew is encountering this in the attempts to build 6.6.0

$ /home/linuxbrew/.linuxbrew/Cellar/aws-vault/6.6.0/bin/aws-vault login --debug 2>&1
2022/03/14 08:19:28 aws-vault 6.6.0-Homebrew
2022/03/14 08:19:28 [keyring] Considering backends: [keyctl]
2022/03/14 08:19:28 [keyring] Failed backend keyctl: accessing "" keyring failed: unknown scope ""
aws-vault: error: Specified keyring backend not available, try --help

As you can see in the command though, no backend is specified so it's odd that it's reporting that as unavailable.

---

This is a continuation of #889 with a clearer description of the problem that we're seeing in the Homebrew builds of this project.

[drdaeman]

This happens because Config.KeyCtlScope is never initialized and defaults to an empty string (which is not a valid option). So during the initialization getKeyringForScope fails with this "unknown scope %q". To my understanding, keyctl backend in 6.5 and 6.6 is unusable, as there is no way to provide the scope.

Based on the "Considering backends: [keyctl]" it looks that it was explicitly selected with AWS_VAULT_BACKEND (I assume this because there's no "file" backend listed, which should only happen if backend is explicitly set. Or, well, if they the keyring library is patched). I've no idea what Homebrew does and why it tries to use this backend.

[SMillerDev]

Homebrew doesn't try anything special. It builds using make and make install and after it just runs the command I posted without any environment variables set.

It appears to me that this is the default.

[zmikaya-lh]

After updating WSL to Ubuntu 21.04 and reinstalling aws-vault using brew, this issue went away. It was present on Ubuntu 20.04.

I still ran into other issues though since I didn't have a GUI popup for the password input.

[lackovic]

I ran into the same issue on Ubuntu 22.04:

$ aws-vault list
aws-vault: error: Specified keyring backend not available, try --help

$ aws-vault --debug exec test
2022/04/28 12:28:58 aws-vault v6.6.0
2022/04/28 12:28:58 Loading config file /home/marco/.aws/config
2022/04/28 12:28:58 Parsing config file /home/marco/.aws/config
2022/04/28 12:28:58 [keyring] Considering backends: [keyctl]
2022/04/28 12:28:58 [keyring] Failed backend keyctl: accessing "" keyring failed: unknown scope ""
aws-vault: error: Specified keyring backend not available, try --help

I installed aws-vault manually with the following commands:

wget https://github.com/99designs/aws-vault/releases/download/v6.6.0/aws-vault-linux-amd64
chmod +x ./aws-vault-linux-amd64
sudo mv aws-vault-linux-amd64 /usr/local/bin/aws-vault

It worked using --backend=pass after I initialized pass with a gpg key:

$ aws-vault list --backend=pass
Profile                  Credentials              Sessions
=======                  ===========              ========
default                  -                        -
-                        foo                      -

To avoid having to use --backend=pass append the following line to your ~/.profile:

export AWS_VAULT_BACKEND=pass

[nordras]

You need to check what is you keyring manager, by installing a new one or using default.
To me it worked on WSL 2 ubuntu 20+
Insert on your ~/.profile
export AWS_VAULT_BACKEND=file

[evbo]

@nordras thank you, I am running in a docker container where I'd prefer to avoid installing extra keychain dependencies (keyctl, gnome-keyring, etc). What is the significance of setting the backend to file? I can't find it documented what that means... Is aws vault just writing my credentials to a plain text (or encrypted?) file? Thanks

[nordras]

Seems like the new versions of OS's based on UNIX already have a default keychain feature, it seems like it's writing the credentials on an encrypted config file, I saw these configurations by looking into the add function code, there some time that I made it, so I'm not 100% sure @evbo, you welcome!

[Sarke]

So I just ran into this. It was working about a week or two ago, so no version update.

The trouble is that I have already added the credentials, and setting the backend to file will just leave it blank.

I do see this file modified a while ago: ~/.local/share/keyrings/awsvault.keyring

It appears the system has stopped using it?

[Sarke]

$ aws-vault list --backend=secret-service --debug               
2022/09/27 14:53:59 aws-vault 6.6.0-Homebrew
2022/09/27 14:53:59 [keyring] Considering backends: [secret-service]
2022/09/27 14:53:59 [keyring] Failed backend secret-service: Algorithm plain is not supported. (only dh-ietf1024-sha256-aes128-cbc-pkcs7 is supported)
aws-vault: error: Specified keyring backend not available, try --help

Maybe an update to disabled plain as too unsecure?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.