Rotate fails when two MFAs are required and they fall in the same time window
awilkins opened this issue · comments
- I am using the latest release of AWS Vault
- Was using 6.6.0, checked changelog, couldn't find an explicit fix for this, but maybe #1052 fixes it
-
.aws/config
- A minimal config with
mfa_serial
referring to a TOTP device (YubiKey)
- A minimal config with
Used aws-vault rotate $PROFILE
- Successfully creates a new access key
- Successfully stores new key
- Fails to re-authenticate and deprecate / delete old key
Error indicates invalid MFA ; the initial session and the subsequent session with the new key both occur within the same TOTP window, so the same code is used twice which is not permitted.
Error breaks the loop of the rotate
command, so this then leaves the old key active.
Perhaps
- Poll MFA device until new token is available (maybe a bit brutish)
- Impose a longer window between key creation and deprecation when MFA is involved
- Maybe have some kind of MFA resource pool to keep track of last time each MFA was used?
- Retry (see "maybe #1052 fixes this")
probably should just check that we get a different MFA token inputted 2nd time around
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.