feat: support passage (.age suffix)

[mahduv]

Passage is (almost) drop in replacement for pass that uses age as backend written by the creator of age.

Problem arises because age saves file with '.age' suffix while pass does it with '.gpg' suffix. Just symlinking aws-user.gpg -> aws-user.age does the job:

aws-vault add aws-user
ln -s "$PASSAGE_DIR/aws-user.age" "$PASSAGE_DIR/aws-user.gpg"

This is not a dealbreaker for adding users since it can easily be wrapped, but session-tokens are problem !

Solution would be to add check not just for .gpg but also for .age. Would send PR but I have never written Go, just read it. If you do not have time can give it a try ...

For reference this is the setup:

export AWS_VAULT_BACKEND=pass
export AWS_VAULT_PASS_CMD="passage"
export AWS_VAULT_PASS_PREFIX="aws"
export AWS_VAULT_PASS_PASSWORD_STORE_DIR="$PASSAGE_DIR"

P.S.
I use both pass and passage stuck into same ~/.pass home. First one for secrets I am comfortable putting behind gpg-agent with generous cache time, while second one where I want to enter password (or yubikey) every time. gpg has global cache setup per keyring so I would need to create separate one, sounds like nightmare. Age is so much easier option, perfect for this scenario ...

[mbevc1]

Sure give it a go. Quick question on this, I wonder if to avoid potential issues we could add new backend as mentioned in ByteNess/keyring#60 . Is the .age extension the only difference and is it fully compatible? 🤔

[mahduv]

Sure, I would merge it to make it painless for people using passage. Just put AWS_VAULT_BACKEND=passage and call it a day. And since both have same CLI interface new backend is practically allready tested. But I would add small tweak to itemExist function so my usecase is also supported. I expanded on it there

[mbevc1]

Thanks, responded to your comment in the keyring issue.

[mbevc1]

@mahduv passage backned was merged via ByteNess/keyring#61

[jenic]

Just keep in mind you'll need to bump the go.mod to 1.7.0 for keyring before passage can used:

diff --git a/go.mod b/go.mod
index a534c1f..b1cb47e 100644
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
        github.com/aws/aws-sdk-go-v2/service/sso v1.30.9
        github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13
        github.com/aws/aws-sdk-go-v2/service/sts v1.41.6
-       github.com/byteness/keyring v1.6.1
+       github.com/byteness/keyring v1.7.0
        github.com/charmbracelet/huh v0.8.0
        github.com/charmbracelet/lipgloss v1.1.0
        github.com/google/go-cmp v0.7.0

I can confirm that it works correctly with my passage and current AWS configurations. There is a slight unrelated issue making it difficult to use but I will investigate this a bit more before making a separate issue about it. I suspect it has to do with charmbraclet.

[mbevc1]

Thanks for checking @jenic !

@mahduv am I okay to close this as done, or is there anything else not working for you? Perhaps worth opening a new issue 🤔 ?

[mbevc1]

Released with: https://github.com/ByteNess/aws-vault/releases/tag/v7.9.0

[mbevc1]

@mahduv if there is anything else please feel free to open an new issue and I'll mark this as done now. Thanks for your contributions to both!

[mahduv]

That PR does not solve my issue, but I am glad it was merged !

For now my fork is enough for me ... there are projects in near future where I will work more with Go and then will make more tested PR and add docs that explain this gpg/age mixed usecase. Would also like to merge pass.go and passage.go into one file. That duplication bothers me :-)

Thanks for listening and patience ...

[mbevc1]

No worries, feel free to open an issue/PR when ready