Solvedaws vault Using aws-vault with WSL

Me and my colleagues recently started using aws-vault and love it 😃 However, as my development environment is in WSL, I wasn't able to use the wincred backend for aws-vault at first. I'm opening this issue to find out whether there are others like me, wanting to use aws-vault from WSL, and to ask how are you using aws-vault with WSL? Would you also like to see some official support for using the wincred backend "natively" with aws-vault in WSL?

Here's what I did to get it to work:
I tried running the aws-vault.exe binary from WSL and that works for all of the sub commands that I've tried but one. It doesn't work for aws-vault exec since the command I wish to exec is not available from the executables point of view (in Windows).

I want to share with you a Python script I wrote together with a colleague. To use it you would put in on your $PATH in WSL along with the aws-vault.exe Windows binary (instead of the real aws-vault Linux binary) and call it as it it were aws-vault. If called with the "exec" sub command it will use aws-vault.exe (with support for wincred backend) to get the environment with AWS credentials and then execute the original command in WSL using that environment. For all other sub commands it will simply forward the sub command and all other arguments to aws-vault.exe.

There are some limitations in how it accepts command line arguments. It works if all options (--backend, --prompt etc.) are put before "exec". It might and probably will crash otherwise.

#! /usr/bin/python3.7

import os
import subprocess
import sys

EXEC = "exec"
DOUBLE_DASH = "--"
AWS_VAULT_EXE = "aws-vault.exe"  # Has to be on $PATH in WSL
CMD_EXE = "cmd.exe"

# Ensure AWS Vault environment variables are shared between WSL and Windows
AWS_VAULT_ENVIRONMENT_VARIABLES = (k for k in os.environ.keys() if k.startswith("AWS_VAULT_"))
WSLENV = os.environ.get("WSLENV")
os.environ["WSLENV"] = ":".join(
    s for s in [WSLENV, *AWS_VAULT_ENVIRONMENT_VARIABLES] if s
)

if EXEC in sys.argv:
    exec_index = sys.argv.index(EXEC)
    double_dash_index = (
        sys.argv.index(DOUBLE_DASH) if DOUBLE_DASH in sys.argv else exec_index + 2
    )

    # Get AWS_* environment variables using the AWS Vault Windows binary
    win_args = sys.argv[exec_index:double_dash_index]
    win_process = subprocess.run(
        [AWS_VAULT_EXE, *win_args, CMD_EXE, "/C", "set", "AWS_"],
        stdout=subprocess.PIPE,
        cwd="/mnt/c",
        encoding="utf8",
    )
    if win_process.returncode != 0:
        exit(win_process.returncode)
    win_env = win_process.stdout.strip()

    # Make a dict out of the environment string
    wsl_env = {}
    for line in win_env.splitlines():
        k, *v = line.split("=")
        wsl_env[k] = "".join(v)

    # Exec command with arguments as is with AWS_* environment variables set
    wsl_args = sys.argv[double_dash_index + 1 :]
    os.execlpe(wsl_args[0], *wsl_args, {**os.environ, **wsl_env})
else:
    # Exec AWS Vault Windows binary with all arguments as is
    os.execlp(AWS_VAULT_EXE, *sys.argv)

I'm glad to see that I'm not the only one who had issues with it 😄
This is how I'm using aws-vault in WSL2 and Ubuntu 20.04

Short version

# All the commands are executed in a WSL2 terminal

# Download
AWS_VAULT_VERSION="v6.3.1" && \
wget -O aws-vault "https://github.com/99designs/aws-vault/releases/download/${AWS_VAULT_VERSION}/aws-vault-linux-amd64"

# Install
sudo mv aws-vault /usr/local/bin/ && \
sudo chmod +x /usr/local/bin/aws-vault

# Verify
aws-vault --version

# Output:
# v6.3.1

# Install the pass backend and update gnupg, which encrypts passwords
sudo apt-get update && sudo apt-get install -y pass gnupg

# Make sure your terminal windows is large enough
# Generate a key with gpg (gnupg)
gpg --gen-key
# Follow the prompts ...

# Create a storage key in pass from the previously generated public (pub) key
MY_PUBLIC_KEY="844E426A53A64C2A916CBD1F522014D5FDBF6E3D"
pass init "$MY_PUBLIC_KEY"

# All set, let's test

# Create an aws-vault profile
MY_PROFILE_NAME="staging-admin"
aws-vault add "$MY_PROFILE_NAME"

# Invoke some command with the AWS CLI using the previously created profile
aws-vault exec staging-admin -- aws s3 ls
# outputs a list of buckets if any

Long Version

# Download
AWS_VAULT_VERSION="v6.3.1" && \
wget -O aws-vault "https://github.com/99designs/aws-vault/releases/download/${AWS_VAULT_VERSION}/aws-vault-linux-amd64"

# Install
sudo mv aws-vault /usr/local/bin/ && \
sudo chmod +x /usr/local/bin/aws-vault

# Verify
aws-vault --version

# Output:
# v6.3.1

sudo apt-get update && sudo apt-get install -y pass gnupg

gpg --gen-key
# Follow the prompts ...

public and secret key created and signed.

pub   rsa3072 2021-04-22 [SC] [expires: 2023-04-22]
      844E426A53A64C2A916CBD1F522014D5FDBF6E3D
uid                      Meir Gabay <willy@wonka.com>
sub   rsa3072 2021-04-22 [E] [expires: 2023-04-22]

pass init "844E426A53A64C2A916CBD1F522014D5FDBF6E3D"
# You should be prompted to insert the passphrase that was set during the `gpg --gen-key` process

Password store initialized for 844E426A53A64C2A916CBD1F522014D5FDBF6E3D
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2023-04-22
staging-admin: reencrypting to 24552E67E0372C6C

aws-vault add staging-admin
Enter Access Key ID: AKIAABCDEFGH12345678
Enter Secret Access Key: 
Added credentials to profile "staging-admin" in vault

aws-vault exec staging-admin -- aws s3 ls
# buckets list ...

Thank you @unfor19 . I needed a just a couple more things to get your solution working for me:

export AWS_VAULT_BACKEND=pass
export GPG_TTY="$( tty )"

which I've also added to my ~/.bashrc