[Feature] Ability to refresh the session in `avsh` without closing the terminal about zsh-aws-vault HOT 3 CLOSED

Hey - I'm glad that this plugin has been useful for you!

I just looked into what aws-vault exec is doing and I think it might be possible - there are a few options that I can think of:

Hacky Option

I think one solution would be to trigger a new shell (in a subshell), grabbing the ENV variables from that shell, setting them in the existing shell, and killing the new subshell.

https://github.com/99designs/aws-vault/blob/389cc244cf74f394fcb8e0b607f7c56184da677d/cli/exec.go#L153-L159

I don't love this option - it feels pretty hacky, but could work.

Another idea

What if, instead, the behavior exited out of your session and re-ran avsh $profile for you? Since we know the profile from ENV variables, we should be able to do that and it would be easier / more reliable than the other option.

I know this isn't exactly what you're asking for, so let me know.

from zsh-aws-vault.

Thanks for the prompt response! The main concern I have with the second proposal is that your active directory will jump back to where you were before you launched the first subshell. Additionally this would remove any temporary session variables that you had in your shell at the time.

The first proposal, while hacky, allows you to preserve the state of your active shell.

from zsh-aws-vault.

Thanks for the additional context. I am a bit worried about adding this behavior to this plugin directly. Because of the sensitive nature of these tokens, I don't want to take on the potential risk of exposing credentials based on an implementation decision here.

That said, I have a few other ideas to pose:

1. You could post over on aws-vault on this issue (99designs/aws-vault#72), which sounds like what we'd need to do this easily via delegation. The issue was closed for lack of context, but maybe you could reopen with the context you provided.

2. Use the --server feature (docs). From the docs:

Local EC2 Instance Metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible. The downside is that only one can run per host and because it binds to 169.254.169.254:80, your sudo password is required.

That might work around your problem since tokens are automatically refreshed.

For now, I'm going to close this issue as "won't fix" because of the potential security concerns I mentioned above. That said, if aws-vault adds behavior that unsets and refreshes your environment variables, I'd be more than happy to add it to this project.

from zsh-aws-vault.