Add RetrieveWithoutSessionToken() to handle NoSession

vault/provider.go

@@ -151,6 +151,48 @@ func (p *VaultProvider) Retrieve() (credentials.Value, error) {
 	return value, nil
 }
 
+// RetrieveWithoutSessionToken returns credentials that are either the master credentials or
+// a session created with AssumeRole. This allows for usecases where a token created with AssumeRole
+// wouldn't work.
+func (p *VaultProvider) RetrieveWithoutSessionToken() (credentials.Value, error) {
+	log.Println("Skipping session token and using master credentials directly")
+
+	creds, err := p.getMasterCreds()
+	if err != nil {
+		return credentials.Value{}, err
+	}
+
+	if role, ok := p.profiles[p.profile]["role_arn"]; ok {
+		session, err := p.assumeRole(creds, role)
+		if err != nil {
+			return credentials.Value{}, err
+		}
+
+		log.Printf("Using role ****************%s, expires in %s",
+			(*session.AccessKeyId)[len(*session.AccessKeyId)-4:],
+			session.Expiration.Sub(time.Now()).String())
+
+		window := p.ExpiryWindow
+		if window == 0 {
+			window = time.Minute * 5
+		}
+
+		p.SetExpiration(*session.Expiration, window)
+		p.expires = *session.Expiration
+
+		value := credentials.Value{
+			AccessKeyID:     *session.AccessKeyId,
+			SecretAccessKey: *session.SecretAccessKey,
+			SessionToken:    *session.SessionToken,
+		}
+
+		return value, nil
+	}
+
+	// no role, exposes master credentials which don't expire
+	return creds, nil
+}
+
 func (p *VaultProvider) getMasterCreds() (credentials.Value, error) {
 	if p.MasterCreds != nil {
 		return *p.MasterCreds, nil