Giters

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

MFA does not seem to be working when using the login function

if-jeremy opened this issue · comments

commented
  • [ * ] I am using the latest release of AWS Vault
  • [ * ] I have provided my .aws/config (redacted if necessary)
  • [ * ] I have provided the debug output using aws-vault --debug (redacted if necessary)

It would appear that using the --mfa-token=###### option with the aws-vault login command does not work as expected.

.aws/config file:

[profile my-profile]
region             = us-east-1
mfa_serial         = arn:aws:iam::############:mfa/Phone

Debug output with login command:

$ aws-vault login --mfa-token=071675 --debug my-profile
2023/10/12 11:52:58 aws-vault v7.2.0
2023/10/12 11:52:58 Using prompt driver: terminal
2023/10/12 11:52:58 [keyring] Considering backends: [keychain]
2023/10/12 11:52:58 Loading config file /Users/jutley/.aws/config
2023/10/12 11:52:58 Parsing config file /Users/jutley/.aws/config
2023/10/12 11:52:58 Profile 'default' missing in config file
2023/10/12 11:52:58 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:52:58 [keyring] Found 5 results
2023/10/12 11:52:58 profile my-profile: using stored credentials
2023/10/12 11:52:58 profile my-profile: skipping GetSessionToken because sessions are disabled for this profile
2023/10/12 11:52:58 Looking up keyring for 'my-profile'
2023/10/12 11:52:58 [keyring] Querying keychain for service="aws-vault", account="my-profile", keychain="aws-vault.keychain"
2023/10/12 11:53:09 [keyring] Found item "aws-vault (my-profile)"
2023/10/12 11:53:09 Creating a federated session
2023/10/12 11:53:10 Using GetFederationToken for credentials
aws-vault: error: login: operation error STS: GetFederationToken, https response error StatusCode: 403, RequestID: a294af35-a0c8-4b80-8ce1-8d6e0b24542f, api error AccessDenied: User: arn:aws:iam::############:user/jutley is not authorized to perform: sts:GetFederationToken on resource: arn:aws:sts::############:federated-user/jutley with an explicit deny

Note: I have a policy in place that issues an explicit Deny on all API calls not authenticated with MFA, other than specific calls related to password changes and setting up MFA

Debug command with exec command on same profile:

aws-vault exec --mfa-token=###### --debug my-profile -- zsh
2023/10/12 11:55:13 aws-vault v7.2.0
2023/10/12 11:55:13 Using prompt driver: terminal
2023/10/12 11:55:13 Loading config file /Users/jutley/.aws/config
2023/10/12 11:55:13 Parsing config file /Users/jutley/.aws/config
2023/10/12 11:55:13 [keyring] Considering backends: [keychain]
2023/10/12 11:55:13 Profile 'default' missing in config file
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:13 [keyring] Found 5 results
2023/10/12 11:55:13 profile my-profile: using stored credentials
2023/10/12 11:55:13 profile my-profile: using GetSessionToken (with MFA)
2023/10/12 11:55:13 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:13 [keyring] Found 5 results
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:13 [keyring] Found 5 results
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,dHJ1c3RjaGFyZ2U,YXJuOmF3czppYW06OjQ2NDgxMTgyNDY5OTptZmEvUGhvbmU,-62135596800", keychain="aws-vault.keychain"
2023/10/12 11:55:13 [keyring] No results found
2023/10/12 11:55:13 Looking up keyring for 'my-profile'
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", account="my-profile", keychain="aws-vault.keychain"
2023/10/12 11:55:18 [keyring] Found item "aws-vault (my-profile)"
2023/10/12 11:55:19 Generated credentials ****************VAMX using GetSessionToken, expires in 59m59.78726s
2023/10/12 11:55:19 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:19 [keyring] Found 5 results
2023/10/12 11:55:19 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:19 [keyring] Found 5 results
2023/10/12 11:55:19 [keyring] Checking keychain status
2023/10/12 11:55:19 [keyring] Keychain status returned nil, keychain exists
2023/10/12 11:55:19 [keyring] Keychain item trusts keyring
2023/10/12 11:55:19 [keyring] Adding service="aws-vault", label="aws-vault session for my-profile (expires 2023-10-12T17:55:19Z)", account="sts.GetSessionToken,dHJ1c3RjaGFyZ2U,YXJuOmF3czppYW06OjQ2NDgxMTgyNDY5OTptZmEvUGhvbmU,1697133319", trusted=true to osx keychain "aws-vault.keychain"
2023/10/12 11:55:19 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/10/12 11:55:19 Setting subprocess env: AWS_SESSION_TOKEN
2023/10/12 11:55:19 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2023/10/12 11:55:19 Exec command zsh
2023/10/12 11:55:19 Found executable /bin/zsh
commented

I have exactly the same issue on aws-vault v7.2.0

EDIT:

I've downgraded aws-vault to version v6.3.1 and everything is working again.