The fundamentals here are pretty straightforward:
-
The -25308 error is errSecInteractionNotAllowed
, which means that the keychain needed to interact with the user and that’s not allowed in this context.
-
SSH login sessions are one situation where interacting with the user is not allowed.
The complexity stems from why the keychain needs to interact with the user. You wrote:
I've also tried running: security unlock-keychain …
Right. This rules out the keychain being locked as a source of this user interaction, but that’s only one source. There are plenty of other sources, and it’s hard to be sure which one is in play in your specific case.
This overall seems like an issue built-in to macOS, probably for
security reasons that presume that all Keychain actions should be
attached to an app that has an interactive GUI.
That’s not true. A non-GUI process can use the keychain just fine. This includes things in a user login session, like tools run by SSH, and even daemons [1].
What is true is that macOS has strict rules about execution contexts. For details on this, see Technote 2083 Daemons and Agents.
A program with a Unix-y heritage, like screen
, expects to be able to switch execution by switching the traditional Unix-y UIDs and GIDs. That doesn’t really work on macOS [2], and such programs often run into problems. As explained in the technote, these problems don’t always have obvious symptoms, and they can come and go as the system evolves.
I’m not sure what this program is trying to do with the keychain but this is a serious concern:
This opens a local browser page to AWS SSO auth.
Given the above-mentioned execution context limits, doing this correctly on macOS requires some convoluted code [3]. I suspect that this program is just ignoring the issue and that’s why you’re running into problems. However, it’s hard to be sure without knowing more about the code.
I presume that this isn’t code that you wrote?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Daemons are limited to the file-base keychain. See On Mac Keychains for more details about the long story that is macOS keychains.
[2] It works if you live entirely within the Unix-y layers of the system but fails when you work with higher-level frameworks, like Security.
[3] You’d have to run an agent in each GUI login session to handle the GUI-specific work.