Giters

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cannnot start AWS-StartSSHSession with MFA

azusa opened this issue · comments

commented
  • I am using the latest release of AWS Vault
6.6.0-Homebrew

ProductName:	macOS
ProductVersion:	12.6
BuildVersion:	21G115
  • I have provided my .aws/config (redacted if necessary)
[profile ssm-user2]

region = ap-northeast-1
output = json
mfa_serial=arn:aws:iam::491673950671:mfa/ssm-user
  • I have provided the debug output using aws-vault --debug (redacted if necessary)
[]:$ ssh ssm                                                                [~]
2022/10/15 00:14:45 aws-vault 6.6.0-Homebrew
2022/10/15 00:14:45 Loading config file /Users/azusa/.aws/config
2022/10/15 00:14:45 Parsing config file /Users/azusa/.aws/config
2022/10/15 00:14:45 [keyring] Considering backends: [keychain]
2022/10/15 00:14:45 Profile 'default' missing in config file
2022/10/15 00:14:45 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/10/15 00:14:45 [keyring] Found 3 results
2022/10/15 00:14:45 profile ssm-user2: using stored credentials
2022/10/15 00:14:45 profile ssm-user2: using GetSessionToken (with MFA)
2022/10/15 00:14:45 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/10/15 00:14:45 [keyring] Found 3 results
2022/10/15 00:14:45 [keyring] Removing keychain item service="aws-vault", account="sts.GetSessionToken,(Removed)1665757089", keychain "aws-vault.keychain"
2022/10/15 00:14:48 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/10/15 00:14:48 [keyring] Found 2 results
2022/10/15 00:14:48 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,(Removed),-62135596800", keychain="aws-vault.keychain"
2022/10/15 00:14:48 [keyring] No results found
Enter MFA code for arn:aws:iam::491673950671:mfa/ssm-user: 2022/10/15 00:14:48 Looking up keyring for 'ssm-user2'
2022/10/15 00:14:48 [keyring] Querying keychain for service="aws-vault", account="ssm-user2", keychain="aws-vault.keychain"
2022/10/15 00:14:48 [keyring] Found item "aws-vault (ssm-user2)"
aws-vault: error: exec: Failed to get credentials for ssm-user2: operation error STS: GetSessionToken, https response error StatusCode: 400, RequestID: bd7313fd-e784-4515-b028-5cbb865cffb9, api error ValidationError: 2 validation errors detected: Value 'SSH-2.0-OpenSSH_8.6' at 'tokenCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [\d]*; Value 'SSH-2.0-OpenSSH_8.6' at 'tokenCode' failed to satisfy constraint: Member must have length less than or equal to 6
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

I tried to connect to EC2 instance with SSH via Session Manager, and using aws-vault and mfa.
I put config to .aws/config and ~/.ssh/config.

~/.ssh/config:

host ssm
  IdentityFile ~/.ssh/key/azusa.pem
  User ec2-user
  ProxyCommand sh -c "aws-vault exec ssm-user2 -- aws ssm start-session --target (instance_id) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

When I typed ssh commands, shell did not prompt token code, and I cannot input token code and got an error.
Recorded screen is below:

ssm_with_mfa.mp4

and I could input mfa token code with other aws cli commands.

Do you have any idea how to input token code with AWS-StartSSHSession?

commented

This is a problem due to using stdin to input MFA code.
I think that using go-tty etc. will solve it.

commented

I resorted to using nasty workarounds for this, like requesting credentials with an ssh shim as ProxyCommand and redirecting active tty's during login flow to still get the prompt and not interfere with the SSH flow.

With v7, that'd be something like:

if ! aws-vault list | grep -q -E "sts.GetSessionToken:[[:digit:]]"; then
    # redirect fd's to not mess with SSH flow
    exec 10<&0 11>&1 0<&2 1>&2
    aws-vault --prompt terminal export base --duration 12h --format=json
    # finish off interactive fd's and hand back over to SSH
    exec 0<&10 1>&11
fi

aws --profile $profile ssm start-session yadda yadda

The only problem with this approach is that it would litter the filesystem with occasional files named not a tty, presumably from some error output being redirected incorrectly. The fix by @ngyuki fixes all of that. I shall open a PR.

commented

On second thought/view, this appears to already be fixed in #1149. 🎉

@azusa @ngyuki Can you confirm this also fixes your problem?

EDIT: and on third thought/view, there are still edge cases where this does not work correctly but the fix in this issue does fix it. Opening a PR.

commented

Final edge case fixed in #1184.