Keychain backend not working on darwin/arm64 (aka M1) Macs

[schisamo]

Describe the bug

Even though I am using macOS, I noticed assume would not save SSO tokens into keychain which from the documentation appeared to be the default.

To Reproduce

I forced assume to use the keychain keyring backend via config:

DefaultBrowser = "BRAVE"
CustomBrowserPath = "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser"
LastCheckForUpdates = 4
[Keyring]
Backend = "keychain"
Debug = true

Next I ran an assume with the --verbose flag and observed the keychain was not available as a backend:

❯ assume -c -r us-west-2 --verbose xxxx-staging
DEBUG: starting update check
2022/04/14 15:08:55 [keyring] Considering backends: [keychain]
DEBUG: GetValidCachedToken: opening keyring: Specified keyring backend not available
If browser is not opened automatically, please open link:
https://device.sso.us-east-1.amazonaws.com/?user_code=XXXX-XXXX

Awaiting authentication in the browser...
2022/04/14 15:08:59 [keyring] Considering backends: [keychain]
DEBUG: writing sso token to credentials cache: opening keyring: Specified keyring backend not available

ℹ️  use -s to open a specific service (https://docs.commonfate.io/granted/usage/console)

Opening a console for xxxx-staging in your browser...

Expected behavior

As I am on macOS, I expect assume to save the SSO token in the keychain keyring backend by default.

Actual behavior

assume falls back to the file keyring backend which works BUT forces me to enter a passphrase each time:

❯ assume -c -r us-west-2 --verbose xxxx-staging
DEBUG: starting update check
2022/04/14 15:28:13 [keyring] Considering backends: [pass file]
2022/04/14 15:28:13 [keyring] Failed backend pass: The pass program is not available
? Enter passphrase to unlock "/Users/schisamo/.granted/cred-store"

Version Info

• MacBook Pro (16-inch, 2021) / Apple M1 Pro
• macOS 12.3.1 Monterey
• Assume 0.1.14

[schisamo]

After doing some digging it appears other tools that use the keyring library are experiencing similar issues. The fix appears to be cross-compiling darwin/arm64 on darwin/amd64:
99designs/aws-vault#760
gphotosuploader/gphotos-uploader-cli#302

[jordiup]

Hi @schisamo thanks for checking out Granted and reporting this issue.

I appreciate the research and links you've shared. I've just tested this locally on an M1 Macbook Air, running 12.3.1 Monterey.

granted % assume -c -r us-west-2 --verbose AWSAdministratorAccess-redacted
2022/04/20 09:05:02 [keyring] Considering backends: [keychain pass file]
2022/04/20 09:05:02 [keyring] Querying keychain for service="granted", account="https://redacted.awsapps.com/start", keychain="login.keychain"
DEBUG: starting update check
2022/04/20 09:05:02 [keyring] Found item "granted"

It seems like I'm unable to reproduce the error? I'll do some more digging and get back to you as soon as possible. Cheers

[bgs113]

I'm having the same issue. I received the same error as @schisamo when running as usual and when specifying the [keyring] config of Backend = "keychain". In he latter case, I get the following debug output:

DEBUG: GetValidCachedToken: opening keyring: Specified keyring backend not available
DEBUG: writing sso token to credentials cache: opening keyring: Specified keyring backend not available

This is on a 14" MBP with M1 Pro running macOS Monterey 12.3.1, with granted installed through homebrew.

[antonosmond]

@jordiup I think the issue is in the Makefile here:
https://github.com/common-fate/granted/blob/main/Makefile#L42
The binaries are being compiled with GOARCH=amd64.
We also need some versions compiled with GOARCH=arm64.
I tried making the changes in the Makefile and ran it on my machine and it works now without the prompt.
If you ran locally and couldn't recreate the issue, it may be that you compiled locally using make cli.
In this case, it does the compile using this:
https://github.com/common-fate/granted/blob/main/Makefile#L6
Here it doesn't set GOOS or GOARCH so I think it'll default to the system you're using i.e. if an M1 Mac, GOOS=darwin and GOARCH=arm64 hence you wouldn't see the issue but I can confirm compiling a version with GOARCH set to arm64 solves the issue

[andyw134]

I am also getting the same issue as @schisamo. The default install via homebrew went to a cred file.
Running a Macbook Pro 14-inch, 2021 on MacOS 12.4, Assume version 0.1.16

[dserodio]

I've cloned the repo and compiled with make && make cli and it seems to be working as expected (no password prompts, and there's a granted entry in my Keychain.

MacBook Pro (13-inch, M1, 2020) running macOS 12.4

[rK-delphix]

The above is correct, clone the repository and go through the Makefile. Build the binaries locally and make them available in your system path, works perfect! Thank You.

[holly-evans]

Same issue on MacBook Pro (16-inch, M1, 2021) running macOS 12.4.

My steps to compile:

git clone https://github.com/common-fate/granted.git
cd granted
brew install go
sudo bash -c "make && make cli"
echo 'alias assume="source dassume"' >> ~/.zshenv
echo 'alias granted="dgranted"' >> ~/.zshenv
cd .. && rm -rf granted

Also brew uninstall granted if necessary and check your ~/.zshenv for dupes

[chrnorm]

Thankyou @holly-evans @rK-delphix @dserodio @antonosmond for your help on this! I’ll update our documentation with this issue and workaround and also take a look at our build pipelines which create the MacOS binary. My current suspicion is that this may be due to how we are notarizing the binary, as building a binary locally doesn’t require notarization.

[chrnorm]

@holly-evans @rK-delphix @dserodio @antonosmond I've included our release pipelines for Granted v0.2.0 with the following environment variables based on 99designs/aws-vault#760

SDKROOT=$(xcrun --sdk macosx --show-sdk-path)
CGO_ENABLED=1

If you could try running brew install granted to get the latest version and let me know if this is working for you that would be fantastic! Thanks.

[ipmb]

It's working for me on an M1

Awaiting authentication in the browser...
2022/06/22 12:43:04 [keyring] Considering backends: [keychain pass file]
2022/06/22 12:43:04 [keyring] Checking keychain status
2022/06/22 12:43:04 [keyring] Keychain status returned nil, keychain exists
2022/06/22 12:43:04 [keyring] Keychain item trusts keyring
2022/06/22 12:43:04 [keyring] Adding service="granted", label="", account="https://***.awsapps.com/start", trusted=true to osx keychain "login.keychain"

[dserodio]

Reinstalled via Homebrew and it's working as expected, thanks!

Note: I found a bit strange that the Keychain prompt asks "[…] to use your confidential information stored in "" in your keychain", since the Keychain entry is called granted and not (empty string), but the screenshot in the documentation shows this so I know it's expected.

[JoshuaWilkes]

Closing this as it looks like it has been resolved, thanks everyone

[citosid]

Sorry to revive this @JoshuaWilkes , but... could it be there is a regression?

❯ brew install granted
==> Auto-updating Homebrew...
Adjust how often this is run with HOMEBREW_AUTO_UPDATE_SECS or disable with
HOMEBREW_NO_AUTO_UPDATE. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
==> Auto-updated Homebrew!
Updated 1 tap (common-fate/granted).

Warning: common-fate/granted/granted 0.24.0 is already installed and up-to-date.
To reinstall 0.24.0, run:
  brew reinstall granted
[acruz@blinkin] ~  
❯ assume --verbose                                                    
[DEBUG] profile registry not configured. Skipping auto sync.
[DEBUG] process args  	execFlag:	osargs:[assumego,--verbose]	c.args:[]
[DEBUG] processed profile name
[DEBUG] exec config:<nil>

? Please select the profile you would like to assume: my-account/Administrator
[i] To assume this profile again later without needing to select it, run this command:
> assume my-account/Administrator --verbose
2024/04/30 10:28:59 [keyring] Considering backends: [keychain]
[DEBUG] error retrieving IAM Identity Center token from secure storage: opening keyring: Specified keyring backend not available
[i] If the browser does not open automatically, please open this link: https://device.sso.us-east-1.amazonaws.com/?user_code=NKBP-JDMF
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: NKBP-JDMF
2024/04/30 10:29:03 [keyring] Considering backends: [keychain]
[DEBUG] writing sso token to credentials cache: opening keyring: Specified keyring backend not available
[✔] [my-account/Administrator](us-east-1) session credentials will expire in 12 hours
[acruz@blinkin] ~  
 cat ~/.granted/config
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: /Users/acruz/.granted/config
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ DefaultBrowser = "FIREFOX_DEV"
   2   │ CustomBrowserPath = "/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox"
   3   │ CustomSSOBrowserPath = ""
   4   │ Ordering = ""
   5   │ ExportCredentialSuffix = ""
   6   │ 
   7   │ [Keyring]
   8   │   Backend = "keychain"
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

[uvw]

@citosid, same issue. After upgrading to v0.24.0, assume fails with:

[✘] opening keyring: Specified keyring backend not available

I'm not on M1, though. Just an old Intel MacBook Pro. — Might be worth opening a new issue 🤔

UPDATE:

• Rolling back to v0.23.2 fixed the issue. Seems like a regression.
• I submitted a new issue Keychain backend not working on Macs (v0.24.0) #647 since it's not only M1 but Intel as well.

[citosid]

@uvw, I have an intel mac, so is the same as you. But since I was not sure it was a regression of some kind I didn't want to write a new issue. But thank you for doing it! Now we just have to wait...