cannnot start AWS-StartSSHSession with MFA
azusa opened this issue · comments
- I am using the latest release of AWS Vault
6.6.0-Homebrew
ProductName: macOS
ProductVersion: 12.6
BuildVersion: 21G115
- I have provided my
.aws/config
(redacted if necessary)
[profile ssm-user2]
region = ap-northeast-1
output = json
mfa_serial=arn:aws:iam::491673950671:mfa/ssm-user
- I have provided the debug output using
aws-vault --debug
(redacted if necessary)
[]:$ ssh ssm [~]
2022/10/15 00:14:45 aws-vault 6.6.0-Homebrew
2022/10/15 00:14:45 Loading config file /Users/azusa/.aws/config
2022/10/15 00:14:45 Parsing config file /Users/azusa/.aws/config
2022/10/15 00:14:45 [keyring] Considering backends: [keychain]
2022/10/15 00:14:45 Profile 'default' missing in config file
2022/10/15 00:14:45 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/10/15 00:14:45 [keyring] Found 3 results
2022/10/15 00:14:45 profile ssm-user2: using stored credentials
2022/10/15 00:14:45 profile ssm-user2: using GetSessionToken (with MFA)
2022/10/15 00:14:45 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/10/15 00:14:45 [keyring] Found 3 results
2022/10/15 00:14:45 [keyring] Removing keychain item service="aws-vault", account="sts.GetSessionToken,(Removed)1665757089", keychain "aws-vault.keychain"
2022/10/15 00:14:48 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/10/15 00:14:48 [keyring] Found 2 results
2022/10/15 00:14:48 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,(Removed),-62135596800", keychain="aws-vault.keychain"
2022/10/15 00:14:48 [keyring] No results found
Enter MFA code for arn:aws:iam::491673950671:mfa/ssm-user: 2022/10/15 00:14:48 Looking up keyring for 'ssm-user2'
2022/10/15 00:14:48 [keyring] Querying keychain for service="aws-vault", account="ssm-user2", keychain="aws-vault.keychain"
2022/10/15 00:14:48 [keyring] Found item "aws-vault (ssm-user2)"
aws-vault: error: exec: Failed to get credentials for ssm-user2: operation error STS: GetSessionToken, https response error StatusCode: 400, RequestID: bd7313fd-e784-4515-b028-5cbb865cffb9, api error ValidationError: 2 validation errors detected: Value 'SSH-2.0-OpenSSH_8.6' at 'tokenCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [\d]*; Value 'SSH-2.0-OpenSSH_8.6' at 'tokenCode' failed to satisfy constraint: Member must have length less than or equal to 6
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
I tried to connect to EC2 instance with SSH via Session Manager, and using aws-vault and mfa.
I put config to .aws/config
and ~/.ssh/config
.
~/.ssh/config:
host ssm
IdentityFile ~/.ssh/key/azusa.pem
User ec2-user
ProxyCommand sh -c "aws-vault exec ssm-user2 -- aws ssm start-session --target (instance_id) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
When I typed ssh
commands, shell did not prompt token code, and I cannot input token code and got an error.
Recorded screen is below:
ssm_with_mfa.mp4
and I could input mfa token code with other aws cli commands.
Do you have any idea how to input token code with AWS-StartSSHSession?
This is a problem due to using stdin to input MFA code.
I think that using go-tty etc. will solve it.
I resorted to using nasty workarounds for this, like requesting credentials with an ssh shim as ProxyCommand and redirecting active tty's during login flow to still get the prompt and not interfere with the SSH flow.
With v7, that'd be something like:
if ! aws-vault list | grep -q -E "sts.GetSessionToken:[[:digit:]]"; then
# redirect fd's to not mess with SSH flow
exec 10<&0 11>&1 0<&2 1>&2
aws-vault --prompt terminal export base --duration 12h --format=json
# finish off interactive fd's and hand back over to SSH
exec 0<&10 1>&11
fi
aws --profile $profile ssm start-session yadda yadda
The only problem with this approach is that it would litter the filesystem with occasional files named not a tty
, presumably from some error output being redirected incorrectly. The fix by @ngyuki fixes all of that. I shall open a PR.
Final edge case fixed in #1184.