mfa_process not working with aws cli commands
mleone87 opened this issue · comments
- I am using the latest release of AWS Vault
- I have provided my
.aws/config
(redacted if necessary) - I have provided the debug output using
aws-vault --debug
(redacted if necessary)
I have this simple config
[default]
region=eu-west-3
output=json
mfa_serial=myserial
credential_process=aws-vault export --format=json --no-session --debug default
mfa_process=pass otp myotp
[profile profile1]
role_arn=myrole
mfa_process=pass otp myotp
mfa_serial=myserial
source_profile=default
pass is the backend via ENV variable
pass otp is otp provider and it works called by itself
I expect to be able to run aws s3 ls --profile profile1
but OTP prompt is asked
My tests so far:
aws-vault exec profile1 -- aws s3 ls
works
aws s3 ls --profile profile1
asks for MFA
aws exec default -- aws s3 ls
works
aws s3 ls
works
aws-vault exec profile1 -- aws s3 ls
command output for reference
aws-vault exec profile1 --debug -- aws s3 ls
2023/04/21 10:18:51 aws-vault 7.2.0-Homebrew
2023/04/21 10:18:51 Using prompt driver: terminal
2023/04/21 10:18:51 Loading config file /Users/***/.aws/config
2023/04/21 10:18:51 Parsing config file /Users/***/.aws/config
2023/04/21 10:18:51 [keyring] Considering backends: [pass]
2023/04/21 10:18:51 profile staging: sourcing credentials from profile default
2023/04/21 10:18:51 profile default: using stored credentials
2023/04/21 10:18:51 profile default: using GetSessionToken (with MFA)
2023/04/21 10:18:51 profile staging: using AssumeRole (chained MFA)
2023/04/21 10:18:51 Setting subprocess env: AWS_REGION=eu-west-3, AWS_DEFAULT_REGION=eu-west-3
2023/04/21 10:18:51 Executing mfa_process
2023/04/21 10:18:51 Looking up keyring for 'default'
2023/04/21 10:18:52 Generated credentials ******************** using GetSessionToken, expires in 7h59m59.591003s
2023/04/21 10:18:52 Generated credentials ******************** using AssumeRole, expires in 59m59.316593s
2023/04/21 10:18:52 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/04/21 10:18:52 Setting subprocess env: AWS_SESSION_TOKEN
2023/04/21 10:18:52 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2023/04/21 10:18:52 Exec command aws s3 ls
2023/04/21 10:18:52 Found executable /opt/homebrew/bin/aws
- because
mfa_process
is an custom option designed byaws-vault
, see #1006 (comment) aws
CLI doesn't supportmfa_process
: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
According to USAGE.md: Using credential_process:
Note that
credential_process
is designed for retrieving master credentials, while aws-vault outputs STS credentials by default. If a role is present, the AWS CLI/SDK uses the master credentials from thecredential_process
to generate STS credentials itself. So depending on your use-case, it might make sense for aws-vault to output master credentials by using a profile without a role and the--no-session
argument. For example:[profile jon] credential_process = aws-vault export --no-session --format=json jon [profile work] mfa_serial = arn:aws:iam::123456789012:mfa/jonsmith role_arn = arn:aws:iam::33333333333:role/role2 source_profile = jon
here is an example to make aws s3 ls --profile profile1
works with aws-vault
and mfa_process
:
[default]
region=eu-west-3
output=json
mfa_serial=myserial
credential_process=aws-vault export --format=json --no-session --debug default
mfa_process=pass otp myotp
- [profile profile1]
+ [profile profile1:credential]
role_arn=myrole
mfa_process=pass otp myotp
mfa_serial=myserial
source_profile=default
+ [profile profile1]
+ credential_process = aws-vault export --format=json --no-session --debug "profile1:credential"
After a few of experiments,
i noticed the problem is caused by AWS SDK when the profile contains role_arn
option:
Run aws --profile profile1 ...
works when the profile1 not contains role_arn
:
[profile profile1]
- role_arn = myrole
mfa_serial = myserial
mfa_process = pass otp myotp
credential_process = aws-vault export --format=json --no-session --debug default
Run aws --profile profile1 ...
will asks a MFA token when the profile1 contains role_arn
:
[profile profile1]
+ role_arn = myrole
mfa_serial = myserial
mfa_process = pass otp myotp
credential_process = aws-vault export --format=json --no-session --debug default
I guess when AWS CLI SDK read a profile contains role_arn
option,
it use a difference behavior to ask a MFA token by itself (AWS CLI SDK).
the MFA token prompt is not asked by credential_process = aws-vault export ...
or aws-vault
.
my previous comment has a workaround solution by separate role_arn
and credential_process
in difference profiles to make it works correctly:
- [profile profile1] + [profile profile1:credential] role_arn=myrole mfa_process=pass otp myotp mfa_serial=myserial source_profile=default + [profile profile1] + credential_process = aws-vault export --format=json --no-session --debug "profile1:credential"
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.