secret-service gets: No such interface “org.freedesktop.DBus.Properties”

[RmMsr]

I am trying to use the secret-service backend on an Arch Linux installation. The desktop is a XDM session started via systemd.

When running

aws-vault --backend secret-service add example

I get

aws-vault: error: No such interface “org.freedesktop.DBus.Properties” on object at path /

I am not certain how to dig deeper. I have also installed libsecret and gnome-keyring. A hint where to look would be appreciated.

Thanks for the nice tool! The file backend works smoothly.

[rene00]

I just had the same problem on a headless system.

Fix was to install a gnome desktop (on ubuntu 18.04 apt install ubuntu-mate-desktop will do it) which runs gnome-keyring-daemon properly.

Once I logged into the desktop, the keyring, dbus and aws-vault stuff worked as expected.

I was able to run this from a SSH session to the box and was prompted by a passphrase dialog box within my X session:

export AWS_VAULT_BACKEND=secret-service
aws-vault add foo

I can log back out of the box and log in and aws-vault uses secret-service fine.

I've also run the same setup using kde and kwalletd.

Hope that helps.

[joemiller]

I ran into this issue too and I think I know why finally. dbus-monitor was super helpful here.

aws-vault tries to create a secret collection named awsvault. Creating a collection will normally cause gnome-keyring-daemon to pop-up a "prompt" dialog for setting a password on the new collection. But in a headless environment it can't do this so it doesn't register a Prompt provider on the path.

If aws-vault instead used the default login collection it works fine because that collection already exists and is unlocked so no prompt is needed.

I'm not sure if this is easily fixable in aws-vault because the collection name (as passed by the ServiceName attribute in the keyring.Config struct) is a fixed value. So this information is probably more useful for consumers of the https://github.com/99designs/keyring library.

I'm looking for ways to create a collection from a commandline without needing to prompt and I'll report back here if I find an existing tool for that

[sovaradh]

fwiw, I solved my misery by using vnc with twm/xintirc and using the method suggested at
https://wiki.archlinux.org/index.php/GNOME/Keyring#xinitrc_method

[jondkelley]

Still broke on headless systems following suggestion above, you will need to open the x session and do this for the gnome keyring prompt. I think the keyring tool doesn't support terminals at all, unfortunately.

this mirrors sovaradh's findings and workaround using twm/xinitirc.

sudo apt-get install -y gnome
reboot
gnome-keyring-daemon
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
aws-vault add name

still gets aws-vault: error: No such interface “org.freedesktop.DBus.Properties” on object at path /

[RmMsr]

It has been a long time and I cannot verify this any more. So I close the issue. Please feel free to re-open :-)

[GregAtGoodRx]

I am still hitting this. Running Ubuntu on Windows .. Ubuntu 20.04 LTS (GNU/Linux 4.4.0-19041-Microsoft x86_64)

[RmMsr]

Hmm. Okay. Unfortunately I do not AWS right now. I re-open the issue, but I would not know how to contribute.

[murbanowicz]

Same here. Ubuntu 20.04, WSL 2, 5.4.51-microsoft-standard-WSL2

[flurdy]

:/ Same for a native installation of POP_OS! 20.04 .
But running gnome-keyring-daemon -V once, then retrying aws-vault add myprofile again prompted me to add a new keyring, and no error message again.

[filipvh-sentia]

I ran into this issue. My keyring entry disappeared and I had to re-add it.
It wouldn't work until I run gnome-keyring-daemon and then tried aws-vault add default

[newcarrotgames]

I had to use aws-okta -b file add with windows/wsl2 for some reason... ymmv.

[lukeberry99]

Having this issue on wsl2 as well - not sure what's changed as up until a few days ago it was working properly. @newcarrotgames can you elaborate on your fix please?

[exikyut]

This surfaces readily in Google searches for this issue, so adding what worked for me, taken from https://rtfm.co.ua/en/what-is-linux-keyring-gnome-keyring-secret-service-and-d-bus/:

• Create an Xvnc session on the server and connect to it (I was just using openbox)
• Open a terminal (I just used xterm)
• Run

  export $(gnome-settings-daemon --start)
  systemctl --user import-environment DISPLAY XAUTHORITY
  dbus-update-activation-environment DISPLAY XAUTHORITY
  

• In the same terminal, run the command
• I specified a new keyring password and used Blowfish encryption as the GPG option failed. While doing this the command timed out in the background but the password prompts were still visible.
• Rerun the command
• It worked! :D

[zhkostadinov]

Nothing of the suggested solutions works for me. Any updates?

[FlorinAndreiSpree3D]

Same issue. Ubuntu 18.04, I've ssh'ed into it, and aws-vault add profilename fails even if I try all the tips and tricks indicated above. Nothing works.

[1pavanb]

Same here. Ubuntu 20.04, WSL 2, 5.4.51-microsoft-standard-WSL2

wsl has released gui compatibility for ubuntu. Just Upgrade your wsl.
https://docs.microsoft.com/en-us/windows/wsl/tutorials/gui-apps#existing-wsl-install

[neildataprophet]

Try run ssh-add -L. If it's empty, try add you ssh-key. That worked for me

[Boniker]

In my situation the root cause of the problem was with Vagrant. We can not use the SSH connection for the following command: aws-vault add <name>, launching a terminal locally and executing the command will solve the problem. You must open a terminal on the machine itself.

Resolution Steps:
You have two possibilities to download the aws-vault. With brew and wget.

Recommended with brew: brew install aws-vault

Or with wget:

• Download AWS Vault
  wget https://github.com/99designs/aws-vault/releases/download/v6.4.0/aws-vault-linux-amd64

• Install AWS Vault

  mv aws-vault-linux-amd64 aws-vault
  chmod u+x aws-vault
  sudo mv aws-vault /usr/local/bin
  

• Check AWS Vault version
  aws-vault --version

• Download the pass and gnupg (used for encryption / decryption.)
  sudo apt-get update && sudo apt-get install -y pass gnupg

• Generates the key used for encryption / decryption.
  gpg --gen-key

After generating the gpg key, you will get the output like in the example below:

pub   rsa3072 2022-01-29 [SC] [expires: 2024-01-29]
      FD905667DE12B1678DF234272EEF7*********

• Initialize the pass:
  pass init "FD905667DE12B1678DF234272EEF7*********"

• AWS Vault profile creation
  Create a profile with any name and register the IAM user access key.
  After successful finishing previous point, you can create your aws-vault connection:

  aws-vault add "<your_profile_name>"
  Enter Access Key ID: ***********
  Enter Secret Access Key: ***********
  Added credentials to profile "<your_profile_name>" in vault
  

• Check the created profiles.
  aws-vault ls

• You can use the AWS Vault profile you created to run AWS CLI commands.
  aws-vault exec <your_profile_name>

• After creation the new terminal session, you can check the existing s3 buckets in your AWS:
  aws s3 ls

[newcarrotgames]

Having this issue on wsl2 as well - not sure what's changed as up until a few days ago it was working properly. @newcarrotgames can you elaborate on your fix please?

I think you can ignore me, aws-okta might not be related to aws-vault.

[lucio-desimone-globant]

Hi there.

I'm using Ubuntu 20.04, WSL 2, 5.4.51-microsoft-standard-WSL2 as someone said in the comments.

Tried out all the possible solutions in the comments but nothing seems to work.

There might be a way to use the aws-vault from the host machine to add the profile and then try to execute the connection in the WSL container?

I'm stuck with this since a week.

[1pavanb]

@lucio-desimone-globant @lukeberry99 @murbanowicz
I've tried using windows aws-vault in WSL, it doesn't work. But I've got the WSL one working though.

what I've tried with windows aws-vault and may work for you:

My solution to the problem works nice.
install aws-vault using windows chocolatey in command prompt or power sheel.
Open WSL
create or open .bash_profile if you already have one open with some editors like nano ~/.bash_profile
add file path to aws vault like so:
alias aws-vault="/mnt/c/ProgramData/chocolatey/bin/aws-vault.exe"
save the file before you exit
refresh the file . ~/.bash_profile
thats all let the microsoft credential manager takes care of the rest
you can also check version if it is working by typing in wsl: aws-vault --version
#683 (comment)

But it doesn't work for me when mfa is involved, throws another error for me

Enter MFA code for arn:aws:iam::123456789409:mfa/pavan:
aws-vault: error: exec: Failed to get credentials for abc-prod: operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: operation error STS: GetSessionToken, https response error StatusCode: 400, RequestID: 123abcd-050c-4664-9c8b-abcd5239d1c, api error ValidationError: 1 validation error detected: Value '' at 'tokenCode' failed to satisfy constraint: Member must have length greater than or equal to 6

No luck with this error, also I don't like this anyway because It uses credentials from windows file system instead of the ones from wsl. (If windows aws-vault works for you, you can set shared aws credentials env variables pointing to your WSL filesystem's aws cred and config files.)

aws-vault throws the DBUS error on your WSL because gnome-keyring is a GUI application and WSL didn't have GUI support before.
Upon searching the internet a bit, I found that Microsoft released an update for WSL which adds GUI support.
https://docs.microsoft.com/en-us/windows/wsl/tutorials/gui-apps#existing-wsl-install
Run that update

Open powershell as administrator mode
wsl --update
wsl --shutdown

after that install gnome-keyring (this might already be preset after WSL update but no harm in doing it)
sudo apt install gnome-keyring

if you run your aws-vault command now it should work provided your abcd profile was set in ~/.aws/config file and respective credentials exist.
aws-vault exec abcd -- aws s3 ls

if the prompt goes blank and you don't see anything happen then kill gnome-keyring daemon and try again.
ps aux | grep "[g]nome-keyring-daemon" | awk '{print $2}' | xargs kill -9

You should see a dialog pop up like this

If your aws-vault command keeps spacing out, you have to kill the gnome-daemon everytime before running the aws-vault command.
To avoid this I have edited the /usr/share/dbus-1/services/org.freedesktop.secrets.service file to look like this

[D-BUS Service]
Name=org.freedesktop.secrets
Exec=/usr/bin/gnome-keyring-daemon --unlock --replace --components=secrets

I'm using a combo of aws-vault and assume-role so it doesn't ask me the credentials every time.
aws-vault sets a session and assume-role works until the session exists.

[lucio-desimone-globant]

Hey @1pavanb

Thank you very much for this. Working properly right now.

Cheers.

[mtibben]

Please do open a PR updating the USAGE.md docs with this information

[jackkittisakthamrong]

This surfaces readily in Google searches for this issue, so adding what worked for me, taken from https://rtfm.co.ua/en/what-is-linux-keyring-gnome-keyring-secret-service-and-d-bus/:

• Create an Xvnc session on the server and connect to it (I was just using openbox)
• Open a terminal (I just used xterm)
• Run

  export $(gnome-settings-daemon --start)
  systemctl --user import-environment DISPLAY XAUTHORITY
  dbus-update-activation-environment DISPLAY XAUTHORITY
  

• In the same terminal, run the command
• I specified a new keyring password and used Blowfish encryption as the GPG option failed. While doing this the command timed out in the background but the password prompts were still visible.
• Rerun the command
• It worked! :D

This work for me. VM: Ubuntu 20.04.4

[tony-garcia]

For anyone wanting to use aws-vault on headless WSL2 (or any headless linux system), I got it to work by using pass as the vault backend unstead of the default gnome-keyring. Just install it and set it up with your GPG key using the instructions in the link, and set up these environment variables in your .bashrc (or .zshenv) or whatever:

export AWS_VAULT_BACKEND=pass
export AWS_VAULT_PASS_PREFIX=aws-vault
export GPG_TTY=$(tty)

[nthpaul]

For anyone wanting to use aws-vault on headless WSL2 (or any headless linux system), I got it to work by using pass as the vault backend unstead of the default gnome-keyring. Just install it and set it up with your GPG key using the instructions in the link, and set up these environment variables in your .bashrc (or .zshenv) or whatever:

export AWS_VAULT_BACKEND=pass export AWS_VAULT_PASS_PREFIX=aws-vault export GPG_TTY=$(tty)

Second this. Pass and GPG seem to be the way to go for WSL2.

Here's another thread with a step-by-step: #683 (comment)

[elvinagam]

The issue is still open (for Ubuntu 20...)

[ishepherd]

For anyone wanting to use aws-vault on headless WSL2 (or any headless linux system), I got it to work by using pass as the vault backend unstead of the default gnome-keyring. Just install it and set it up with your GPG key using the instructions in the link, and set up these environment variables in your .bashrc (or .zshenv) or whatever:

Second this. Pass and GPG seem to be the way to go for WSL2.

The latest version of WSL (just out) claims to support X/gui apps even on Windows 10. This might fix the issue for good, for those on WSL.

[BarelElbazDeveleap]

I get this issue because keyring pops up a prompt to enter the passphrase and I'm connected via SSH
Anyone know how to solve it?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.