[Docs] MFA Instructions do not reflect new multiple MFA device capabilities AWS provides
LouisTsiattalou opened this issue · comments
AWS has recently added a feature to allow multiple MFA methods for individual IAM users. Now you can have multiple MFA methods associated with the user, the mfa_serial
entry no longer follows the mfa_serial=arn:aws:iam::<acc_id>:mfa/<your.aws.username>
format anymore. This hasn't had any negative effects on the usage of aws-vault, but some of the documentation is now out of date.
I would be interested on how to make aws-vault work with FIDO2 (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_fido.html#enable-fido-mfa-for-own-iam-user). Does anyone have a clue?
Is this fixed by #1101 ?
IMHO, #1101 is about TOTP
and not FIDO2
. So unfortunately is not fixed.
I think #1101 fixes this issue; for example, by deleting the text
you can usually derive it pretty easily using the format
arn:aws:iam::[account-id]:mfa/[your-iam-username]
Could you provide an example of a working setup?
@kforsthoevel this issue is about updating the docs for aws-vault
now that users can have more than one MFA device (which might be a physical device, or something virtual).
Because this issue is about multiple MFA devices, it's not the right place to ask for advice about using FIDO2 devices with aws-vault.
Hi,
The docs really need to be updates with concrete examples of how to configure things from scratch for a user without having the specify the AWS access / secret keys and using MFA instead. I've done this previously with a 6.x version a long time ago, but I can't seem to get it to work at all right now. It keeps asking for the keys instead.