Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Doesn't ask MFA token code when using assume_role with MFA required #2420

Open
jsi-p opened this issue Nov 23, 2017 · 48 comments
Open

Doesn't ask MFA token code when using assume_role with MFA required #2420

jsi-p opened this issue Nov 23, 2017 · 48 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. provider Pertains to the provider itself, rather than any interaction with AWS.

Comments

@jsi-p
Copy link

jsi-p commented Nov 23, 2017

When using multiple AWS accounts it's good practice to only allow access via AssumeRole from a master account. This can be done with or without requiring MFA. Terraform supports assume_role with s3 state file and aws provider configurations, but doesn't seem to ask the MFA token code when one is required. This prevents using AssumeRole for credentials when MFA is required.

AWS documentation describing MFA with cross account AssumeRole: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html#MFAProtectedAPI-cross-account-delegation

Terraform Version

$ terraform --version
Terraform v0.11.0

Affected Resource(s)

Both of these support assume_role, so they should also support asking for MFA token code:

  • S3 backend configuration
  • AWS provider configuration

Terraform Configuration Files

terraform {
  backend "s3" {
    bucket = "terraform-state-bucket"
    key = "tf-state"
    region = "eu-west-1"
    role_arn = "arn:aws:iam::916005212345:role/OrganizationAccountAccessRole"
  }
}
provider "aws" {
  region = "eu-west-1"
  assume_role {
    role_arn = "arn:aws:iam::916005212345:role/OrganizationAccountAccessRole"
    session_name = "terraform-session"
  }
}

Actual Behavior (with DEBUG)

$ TF_LOG=debug terraform init
2017/11/23 13:36:12 [INFO] Terraform version: 0.11.0  
2017/11/23 13:36:12 [INFO] Go runtime version: go1.9.2
2017/11/23 13:36:12 [INFO] CLI args: []string{"/usr/local/Cellar/terraform/0.11.0/bin/terraform", "init"}
2017/11/23 13:36:12 [DEBUG] Attempting to open CLI config file: /Users/***/.terraformrc
2017/11/23 13:36:12 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2017/11/23 13:36:12 [INFO] CLI command args: []string{"init"}
2017/11/23 13:36:12 [DEBUG] command: loading backend config file: /Users/***

Initializing the backend...
2017/11/23 13:36:12 [WARN] command: backend config change! saved: 16375281725947963338, new: 2383462577283113429
Backend configuration changed!

Terraform has detected that the configuration specified for the backend
has changed. Terraform will now reconfigure for this backend. If you didn't
intend to reconfigure your backend please undo any changes to the "backend"
section in your Terraform configuration.


2017/11/23 13:36:12 [INFO] Building AWS region structure
2017/11/23 13:36:12 [INFO] Building AWS auth structure
2017/11/23 13:36:12 [INFO] Setting AWS metadata API timeout to 100ms
2017/11/23 13:36:13 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2017/11/23 13:36:13 [INFO] Attempting to AssumeRole arn:aws:iam::***:role/OrganizationAccountAccessRole (SessionName: "", ExternalId: "", Policy: "")
2017/11/23 13:36:13 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
2017/11/23 13:36:13 [DEBUG] plugin: waiting for all plugin processes to complete...
Error initializing new backend: 
Error configuring the backend "s3": The role "arn:aws:iam::***:role/OrganizationAccountAccessRole" cannot be assumed.

  There are a number of possible causes of this - the most common are:
    * The credentials used in order to assume the role are invalid
    * The credentials do not have appropriate permission to assume the role
    * The role ARN is not valid

Please update the configuration in your Terraform files to fix this error
then run this command again.
@jsi-p
Copy link
Author

jsi-p commented Nov 23, 2017

This comment describes the same issue (while they workaround by not using MFA, which we do not want to do):

hashicorp/terraform#11270 (comment)

@jsi-p
Copy link
Author

jsi-p commented Nov 23, 2017

I would also like to see this work when simply using AWS_PROFILE env with the target profile configured to use a cross account role_arn and mfa_serial. In fact this would be the preferred way to use terraform for us.

$HOME/.aws/credentials:

[default]
aws_access_key_id = ***
aws_secret_access_key = ***

[subaccount]
role_arn = arn:aws:iam::***:role/OrganizationAccountAccessRole
source_profile = default
mfa_serial = arn:aws:iam::***:mfa/[email protected]

Terraform invocation:

AWS_PROFILE=subaccount terraform init

@tamsky
Copy link
Contributor

tamsky commented Nov 29, 2017

FYI use of shared [profile]s via ~/.aws/config only landed a few days ago in:

#1608

Comment from that PR:

This won't support assuming roles where an MFA device has been specified for the profile (in ~/.aws/config)

There was another implementation of #1608 -- it appears to include some (possibly limited) MFA support, but was closed in favor of 1608:

https://github.com/terraform-providers/terraform-provider-aws/pull/1590/files#diff-0460e055ea98f6ed9713f2265a1b1d49R266

Getting the go-sdk to prompt (once, and only once) for an MFA code would appear to involve a bit more work, but not much, by my reading of the comments.

@tamsky
Copy link
Contributor

tamsky commented Nov 29, 2017

aws/aws-sdk-go#1088 adds the StdinTokenProvider which we'd use.

@tamsky
Copy link
Contributor

tamsky commented Nov 29, 2017

Also, caching of the temporary sts credentials in a portable cross-process manner might be an open issue: aws/aws-sdk-go#1329

@tamsky
Copy link
Contributor

tamsky commented Nov 29, 2017

awless's implementation of 15min temporary credential caching:
wallix/awless#109 (comment)
in
wallix/awless@5a73223

@danlsgiga
Copy link

danlsgiga commented Dec 7, 2017

Just had the same issue... Have a profile with a role to be assumed and MFA enabled but it seems MFA is not supported at this moment.
This would be a great addition to our setup.

We don't really need it to be prompted (probably should not even be considered)... working just like Packer works would be sufficient and that is having a mfa_code option where we can pass using -var or env vars.

https://www.packer.io/docs/builders/amazon-ebs.html#mfa_code

@mikemoate
Copy link
Contributor

mikemoate commented Dec 8, 2017

@tamsky I tried to add the MFA functionality into #1608 (we ideally wanted to be using MFA) but you are correct that the lack of an STS credentials cache essentially makes this unusable for the end user (repeated prompts for MFA token, and as tokens can only be used once, you have to wait until a new token is generated each time).

Since the inability to assume roles defined in the profile file was hurting us more, I elected to pursue that fix for now (still hasn't quite been released, see hashicorp/terraform#16661), though I might return to the MFA issue when I next have some spare capacity (if someone else hasn't stepped in to solve it).

(the original PR hashicorp/terraform#11734 that I resurrected to form #1608, had some discussion on MFA which led to me experimenting and finding the limitations)

@apparentlymart apparentlymart added the enhancement Requests to existing resources that expand the functionality or scope. label Dec 18, 2017
@apparentlymart
Copy link
Contributor

Hi all!

In general, Terraform doesn't currently support this sort of dynamic prompting for providers, and indeed the existing prompting features in Terraform are there primarily to help new users get started and we expect users to switch pretty early to using Terraform as a non-interactive, scripted tool, ideally running in a centrally-administered environment to avoid the need to sprawl various secrets across multiple user workstations.

Some users have reported success using a wrapper/helper script that calls sts:GetSessionToken to obtain temporary credentials in return for an MFA token, and then passes those temporary credentials to Terraform via environment variables, thus allowing that wrapper program to use whatever interactive means is appropriate (CLI prompt, web UI, etc) to collect that MFA token. This is, indeed, the methodology used by Terraform Enterprise for its AWS MFA support.

Managing authentication use-cases in wrapper scripts allows for other more advanced use-cases too, such as SAML authentication.

At this time we do not have plans to support interactive authentication to providers since it would require some significant changes to the provider model. We will probably look at this again in future in the context of some other breaking change to the provider model so that we can bundle multiple changes together, though as noted above we generally expect Terraform to be used non-interactively in some sort of automation once users pass the experimental phase, so any features we build in this area will need to also solve for a non-interactive workflow for that common case.

@phil-hachey
Copy link

For my purposes, I needed this feature for AWS org resource management across multiple accounts, so I can easily bootstrap new accounts. Another use case is for DevOps to manage resources across accounts originating from a "security" account (as described here). In all scenarios, MFA should be enabled for cross account access (internal requirement).

I ended up getting this to work by requesting temporary credentials using MFA and saving them to ~/.aws/credentials. With these credentials, the "MFA required" condition has been met and you're free to use the assume_role block of the aws provider in Terraform:

provider "aws" {
  alias  = "dev_account"
  region = "${var.aws_region}"

  assume_role {
    role_arn = "${var.dev_account_target_role_arn}"
  }
}

I created a simple python cli to generate the creds:
https://github.com/phil-hachey/aws-mfa-tool

@bflad bflad added the provider Pertains to the provider itself, rather than any interaction with AWS. label Jan 29, 2018
@scalp42
Copy link
Contributor

scalp42 commented Aug 8, 2018

Has anyone tried working around the issue by using something like https://github.com/remind101/assume-role ?

@kmaris
Copy link

kmaris commented Aug 8, 2018

@scalp42 assume-role works. I also used a smaller and simpler script to do about the same: https://gitlab.com/kmaris/wtf (The name is terrible, I know).

@andreas-venturini
Copy link

andreas-venturini commented Aug 8, 2018

I ended up getting this to work by requesting temporary credentials using MFA and saving them to ~/.aws/credentials

I suggest aws-vault for this purpose as it is much more convenient. aws-vault stores your long-term access credentials encrypted and will deal with exposing temporary AWS access credentials to your shell or application so you don't have to. As a matter of fact, you can delete your credentials file and manage AWS API access entirely w/ aws-vault and named profiles defined in ~/.aws/config.

I'll show an example that uses cross account IAM role delegation for executing terraform commands.
OrganizationAccountAccessRole is the IAM role that authorized IAM users from an AWS master account can assume. The trust policy of the IAM role enforces MFA (set aws:MultiFactorAuthPresent boolean flag as described here)

The terraform AWS provider config:

provider "aws" {
  profile = "${var.aws_vault_profile}"
  region  = "${var.aws_region}"
  version = "~> 1.30.0"

  assume_role {
    role_arn = "arn:aws:iam::${var.aws_app_account_id}:role/OrganizationAccountAccessRole"
  }
}

Here is the corresponding ~/.aws/config file. It defines a terraform profile which uses MFA (the [profile ...] block is automatically created by aws-vault when adding a new profile - you just have to fill in the arn of the MFA device).

[default]
aws_region=eu-central-1

[profile terraform]
mfa_serial=arn:aws:iam::123456789012:mfa/Andreas

Then simply use aws-vault exec to wrap the terraform command - or set up an alias like so (note to change the backend depending on your system environment - this example uses the secret service API w/ keyring which works well for me on Ubuntu):

# always use aws-vault to wrap terraform command
alias terraform='aws-vault exec terraform --backend=secret-service -- terraform'

When you run terraform you will be automatically prompted for the access token:

➜  terraform-setup (master) ✗ terraform workspace list                                                          
Enter token for arn:aws:iam::123456789012:mfa/Andreas: 

Of course you can also use multiple profiles w/ aws-vault. There are more advanced configuration examples in the aws-vault docs.

@jonscheiding
Copy link

We can work around this using aws-vault or something similar, but I'd love to see the idea of interactive MFA authentication revisited (both for AWS and for other cloud providers where applicable).

I strongly disagree with @apparentlymart's rationale from 2 years ago. While iterating on a TF configuration, I might terraform apply it against our dev account dozens of times over the course of a day. Doing that through our build/deploy pipeline is an obvious non-starter.

Of course we use that pipeline for deployment to environments after dev. So it's not a matter of using TF interactively to manage our infrastructure. But we're contractually obligated to enforce MFA even in our dev account. (And we use account federation with centralized IAM management so it's not really possible to selectively enforce it anyway.) So as is, it makes our dev workflow more complex.

I can't imagine our workflow or our requirements are particularly unusual, so it seems like a high value add for TF to support it.

@stumyp
Copy link

stumyp commented Oct 10, 2019

My 2 cents:

  • My workflow requires MFA even for CLI actions.
  • I want to be able to use multiple providers with assume_role to a different role/account to manage different resources. It is especially important for account/organization management where multiple accounts are unavoidable.
  • While I understand the point of non-interactive flow. I'd really like to see the possibility of using environment variable for specifying MFA value, something like this:
AWS_MFA_TOTP=123456 terraform apply

so if assumed role requires MFA we can work around it by using variable and if that role is not protected with MFA, it will not be used.

Thanks

@yn-academia
Copy link

There is no need to prompt for Terraform to support asking for a MFA value. If you run AWS_PROFILE=profile_that_requires_mfa aws iam list-users from the AWS CLI tool, and enter your token into the CLI tool, you will then find your temporary credentials cached in ~/.aws/cli/cache, so Terraform could just use that, and keep around the requirement that terraform is non-interactive.

@yobert
Copy link

yobert commented Jan 15, 2020

Re @stumyp

  • While I understand the point of non-interactive flow. I'd really like to see the possibility of using environment variable for specifying MFA value, something like this:

The problem with this is that an MFA token is only allowed to be used once in AWS and so this would effectively limit terraform to only one API call every 30 seconds.

@stumyp
Copy link

stumyp commented Jan 15, 2020

The problem with this is that an MFA token is only allowed to be used once in AWS and so this would effectively limit terraform to only one API call every 30 seconds.

This is incorrect: once temporary session is obtained it can lasts much longer.
see assume role API call

@yobert
Copy link

yobert commented Jan 16, 2020

The problem with this is that an MFA token is only allowed to be used once in AWS and so this would effectively limit terraform to only one API call every 30 seconds.

This is incorrect: once temporary session is obtained it can lasts much longer.
see assume role API call

Aha I see what your saying. I thought you meant an environment variable for the MFA code would be sufficient to replace the temporary credential storage workflow. My bad!

@sir-farfan
Copy link

I got here because I also need Terraform to ask the MFA key before assuming the role.
Guess it's still not possible...

@dac73
Copy link

dac73 commented Jan 27, 2020

@stumyp I have exactly that problem, and what my solution does is it creates tf profiles with an assumed role in ~/.aws/credentials so I can then use named profiles in terraform code. So basically I run the script against multiple assumed roles once and then I can use terraform across multiple accounts/assumed roles (until tokens expire). It's not a solution for only one account/assumed role.

@stumyp
Copy link

stumyp commented Jan 27, 2020

Thank you, @dac73, I was not looking for the workaround.

I'm just adding one more voice to implement fully STS AssumeRole API call in Terraform. Not in the way it is done right now.

Currently TF supports only three input parameters:

    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"

while API call accepts more.:

  • DurationSeconds
  • Policy
  • PolicyArns.member.N
  • SerialNumber
  • Tags.member.N
  • TokenCode
  • TransitiveTagKeys.member.N

Probably it should be a separate issue to add the rest of the parameters, but I would love to see there

  • DurationSeconds
  • SerialNumber
  • TokenCode

Let the users deal with how they want to provide those values to TF, just add support for it.

@stumyp
Copy link

stumyp commented Jan 27, 2020

@apparentlymart should I create separate issue for what I'm asking for, since this particular one is about dynamic prompting for MFA value?

@lapkritinis
Copy link

I support requesting for MFA input. Profiles, etc are good for single provider, but thats not always the case. For example I have a need to build VPC peering between two accounts. Each of them requires MFA. Unless I setup some cross account trust in AWS - there is no way to achieve that using environment variables as all of them - will be for single account only.

@mdforbes500
Copy link

Also here to support implementing MFA input. When implementing AWS CLI accounts, MFA is a must here.

@scalp42
Copy link
Contributor

scalp42 commented Sep 11, 2020

@andreas-venturini the issue is that yes aws-vault will work but in our scenario we have to consume the state in different accounts.

Assuming you have 2 accounts prod and dev with respective states, S3 buckets and credentials/roles:

data "terraform_remote_state" "prod_us_west_2" {
  backend = "s3"

  config = {
    profile = "prod"
    bucket  = "terraform"
    key     = "prod/us-west-2/main.tfstate"
    region  = "us-west-2"
  }
}

data "terraform_remote_state" "dev_us_west_2" {
  backend = "s3"

  config = {
    profile = "dev"
    bucket  = "terraform"
    key     = "dev/us-west-2/main.tfstate"
    region  = "us-west-2"
  }
}

If you wrap the terraform command:

aws-vault exec prod -- terraform plan

It'll work as long as you don't have a provider that references a state from a different account if it makes sense as it'll assume whatever role in the prod account but then try to access the dev account as the assumed role if it makes sense and will fail.

Without MFA/aws-vault, it'll work as Terraform can handle multiple sessions per providers.

@olfway
Copy link

olfway commented Sep 11, 2020

Different accounts can be used with aws-vault as a credential_process for aws sdk, ie

~/.aws/config

[profile root]
mfa_serial = arn:aws:iam::XXX:mfa/olfway
credential_process = env AWS_SDK_LOAD_CONFIG=0 aws-vault --backend=pass --pass-prefix=aws-vault --prompt=osascript exec --region eu-west-1 --duration=1h root --json

[profile prod]
source_profile = root
parent_profile = root
role_arn = arn:aws:iam::YYY:role/Prod

[profile dev]
source_profile = root
parent_profile = root
role_arn = arn:aws:iam::ZZZ:role/Dev

and then run terraform as

export AWS_SDK_LOAD_CONFIG=1
terraform plan

@scalp42
Copy link
Contributor

scalp42 commented Sep 11, 2020

@olfway I tried to replicate the same set up but I'm running into the following:

Error: error configuring S3 Backend: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

What does your provider configuration looks like?

@olfway
Copy link

olfway commented Sep 12, 2020

provider "aws" {
  profile = "prod"
  region  = "eu-west-1"
  version = "3.4.0"
}
terraform {
  required_version = "0.13.2"
  backend "s3" {
    profile        = "prod"
    region         = "eu-west-1"
    dynamodb_table = "terraform-locks"
    bucket         = "prod-terraform-states"
  }
}

Also you could check with

export AWS_SDK_LOAD_CONFIG=1
aws --profile prod sts get-caller-identity

it should use credentials from aws-vault and ask for mfa only once

or run aws-vault directly:

env AWS_SDK_LOAD_CONFIG=0 aws-vault --some-backend-options --prompt=osascript exec --region eu-west-1 --duration=1h root --json

@imaginarynik
Copy link

Has there already been an update on this? Any good solutions apart from aws-vault?

@o6uoq
Copy link

o6uoq commented Feb 17, 2021

https://awsu.me/

@MikeRippon
Copy link

MikeRippon commented Jul 21, 2021

This feels like a glaring omission. While being a "non-interactive, scripted tool" is a great primary goal, expecting everything to run in an automated pipeline is unrealistic, especially when terraform has commands such as destroy, force-unlock, import, refresh, state, taint, untaint, which only make sense to be invoked manually. Not to mention that the CLI already prompts for user input if a variable isn't set (for example).

Occasionally you need an escape hatch to deal with edge cases, and how many people don't have MFA enabled for live environments?

I'm forced to choose between turning off MFA (non-option), or adding third-party tooling/custom scripts (which increases maintenance, cognitive overhead, and learning curves for new developers). I'm trying to reduce the complexity of infrastructure deployments, not increase it.

Thankfully I'm thinking of this in advance and making sure there's a solution in place for my client. I feel sorry for anyone that relies on their tf pipeline, and then ends up screwed because something unexpected happened in live, and they can't fix it just because terraform can't ask them for an MFA code.

@rwiggins
Copy link

For anyone who's just looking for a simple escape hatch: There are plenty of programs that manage this problem better, as written above, but honestly, I've used this incredibly simple bash script for years, although I call it exec-in-aws-context instead of aws-assume-role. Basically, if you are using an AWS CLI profile that has a source profile configured, it sets up the AssumeRole-driven session using the AWS CLI, then grabs the temporary credentials and shoves them into the "basic" envvars (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY). In other words, the invoked program (e.g. Terraform) doesn't need to support the full suite of AWS CLI profile features. From the program's perspective, it's just regular AWS credentials.

For example:

Place the script somewhere on your path, e.g. ~/bin/exec-in-aws-context. Make sure you're using an AWS_PROFILE that has a source_profile in ~/.aws/config. Invoke Terraform like

exec-in-aws-context terraform apply

The script will call the AWS CLI and set up the temporary session (which will prompt you for MFA), then invoke terraform apply with the "simple" envvars instead of AWS_PROFILE.

I've actually found that little bash script very useful over the years. I prefer it over some I've seen because it just goes through the regular AWS CLI flow instead of re-implementing part(s) of it in bash. Additionally, it doesn't mess with your existing shell session envvars.

@ghomem
Copy link

ghomem commented Sep 20, 2021

I have been reading this ticket and would like to clarify if I understand it correctly.

Using this:

provider "aws" {
  region = "eu-west-2"
  access_key = var.aws_key
  secret_key = var.aws_secret
}

Terraform prompts for the key and secret which come straight away from a password management tool with encrypted storage.

In case the user has MFA enabled would it be possible that terraform also prompts for the TOTP code? Is there any intention to support this on terraform or is this not considered an interesting scenario?

Thanks! :-)

@prmarino1m
Copy link

prmarino1m commented Nov 3, 2021

if I'm getting this right the reason we cant have an interactive MFA prompt is because its not compatible with automation. i disagree with the premise that automation of running terraform is always required.
if automation is needed then TOTP codes are not hard to get working, TOTP authenticators are programmed with a string so all that's needed is a field that can be added to calculate the code from a string, however I would be remis if I didn't state that not prompting is a mistake because it circumvents Information security requirements
So the solution might be to have an option in the provider that lets you choose between prompting the user for MFA, Not prompting the user for MFA, or calculating the MFA from the string.
this would satisfy everyone.
Also this is one of several massive issues with AWS govcloud support.

@prmarino1m
Copy link

By the way despite seatmates to the contrary in other tickets the AWS CLI does cache session tokens for assume role operations see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa for details so an other option would be to allow terraform to use the cached credentials. if it used the cache then users could just do a simple aws sts get-caller-identity against the profile and they would be prompted for their MFA then terraform could used the cached credentials

@boillodmanuel
Copy link

If you want to run a terraform project that requires MFA, this is possible.
Before running terraform, you can get a session token with MFA and then use its credentials to run terraform.
This is explained here: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

The pseudo code is:

# Get an AWS session
# NOTE: MFA_CODE is a fresh CODE given by your MFA virtual device, like google authenticator. This code change so you can't automate this command
aws sts get-session-token --serial-number "${MFA_DEVICE_SERIAL_NUMBER}" --token-code "${MFA_CODE}"

# The credentials of the session are in the output of the previous command
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_SESSION_TOKEN=

# Run terraform
terraform apply

The following script allows you to get the MFA_DEVICE_SERIAL_NUMBER:

CURRENT_USER_ARN="$(aws sts get-caller-identity --query Arn --output text)
MFA_DEVICE_SERIAL_NUMBER="$(aws iam list-virtual-mfa-devices --query "VirtualMFADevices[?User.Arn=='${CURRENT_USER_ARN}'] | [0].SerialNumber" --output text)"

As said, you have to get the MFA_CODE manually.

@gdavison
Copy link
Contributor

gdavison commented Feb 28, 2023

Additional discussion on this issue, including workarounds used by some practitioners, can be found at #10491

@gdavison
Copy link
Contributor

Hello everyone, and thank you for your patience on this long-standing issue.

As @apparentlymart mentioned in #2420 (comment), the expectation has been that Terraform will typically be used in a non-interactive mode. While that is generally still the sentiment in the Terraform CLI team, we are having some discussions internally around how to allow some interactivity.

The Terraform CLI repository is the best place to request interactivity for Terraform. This will have to be a general solution that can address needs for any providers that would need this. It would also have to act "reasonably" in the case where Terraform is running non-interactively and a provider requests interaction.

There have been a few workarounds and proposed solutions listed in this issue.

  1. Using external tools (aws-vault seems to be the most popular) to perform the authentication before starting Terraform. This appears to work well for some practitioners, especially when the tool "wraps" calls to Terraform, so that the tool can manage renewing the credentials.
  2. Using a script to create temporary credentials in the ~/.aws/credentials file. This will work, but will not be able to renew the credentials. Thus, the session duration needs to be long enough to complete the Terraform operations.

AWS profiles also support the use of an External Credentials Process to authenticate. The AWS Provider currently supports this with profiles in the ~/.aws/config file. We have an open issue, #24885, to add this to the provider configuration block. In both cases, however, the process must be able to prompt the user without using the console, since it is not available from within the provider. aws-vault appears to be able to do this on macOS using the flag --prompt=osascript, but I have not seen examples for other platforms.

Another suggestion was to make use of the AWS CLI credentials cache. The AWS CLI documents the location of the cache, but doesn't document the format. While the format is the format used by the Boto python library, because it isn't stated in the CLI documentation, it is not guaranteed not to change. We feel that this approach is too brittle for inclusion in the provider.

We're going to add the external credentials process to the provider for parity with the credentials and configuration files. We understand that this is not a perfect solution for the MFA issue. Without the ability to interact with the practitioner, the provider cannot solve the MFA issue by itself. Some of the other workarounds or tools may work for you in conjunction with the options supported by the provider.

@olivers-xaxis
Copy link

For anyone who's just looking for a simple escape hatch: There are plenty of programs that manage this problem better, as written above, but honestly, I've used this incredibly simple bash script for years, although I call it exec-in-aws-context instead of aws-assume-role. Basically, if you are using an AWS CLI profile that has a source profile configured, i

This link is dead, does anyone have the source?

@CaerusKaru
Copy link

CaerusKaru commented Jan 18, 2024

Now that aws/aws-cli#3711 has been merged, this is very trivial to implement for any non-S3 backend processes. This is assuming you already have an AWS config profile that has MFA and AssumeRole configured.

Add a new profile using credential_process dedicated to Terraform, e.g. assuming you have a profile existing already called "myprofile":

[profile myprofile-tf]
credential_process = aws configure export-credentials --profile myprofile

The CLI will prompt for the MFA code in the process of running terraform, and will cache the result, taking Terraform out of the equation entirely.

I'm not fully sure why this doesn't work for the S3 backend just specifying profile in the provider, but adding AWS_PROFILE as a command-line environment variable worked for me on terraform init.

Once the feature @gdavison mentioned above lands for configuring this from the Terraform provider itself, the extra profile will not be necessary.

@act-mreeves
Copy link

I'm not fully sure why this doesn't work for the S3 backend just specifying profile in the provider, but adding AWS_PROFILE as a command-line environment variable worked for me on terraform init.

No need to set an environment variable, just set the profile explicitly in the backend. Having to specify this separately is intentional because you could keep terraform state in one central AWS account for example but wish to control resources in a different AWS account. True that it would perhaps make sense to make that the default though.

terraform {
  backend "s3" {
    bucket  = "my-cool-tf-bucket"
    key     = "terraform-state/some-key.tfstate"
    region  = "us-east-2"
    profile = "my_aws_account"
  }
}

@apparentlymart
Copy link
Contributor

(I no longer work on Terraform at HashiCorp, so although my previous comments were made on behalf of HashiCorp, this and any subsequent comments are just me speaking for myself alone.)

It seems to me that Terraform v1.10's "Ephemeral Values" has introduced another potential avenue for filling this gap.

The lowest-level requirement for AssumeRole with an MFA policy is for the provider to offer some way to populate the SerialNumber parameter in the sts:AssumeRole request. A long way back in this discussion someone suggested that the provider could support an environment variable for passing that, and that does seem plausible in principle, but with Ephemeral Values it would now be viable to offer that also as an optional argument in the assume_role block like this:

variable "aws_mfa_token" {
  type      = string
  ephemeral = true
}

provider "aws" {
  # ...
  assume_role {
    # ...
    # The following argument is not currently supported by the AWS provider,
    # but presumably _could be_ supported.
    serial_number = var.aws_mfa_token
  }
  # ...
}

Declaring the aws_mfa_token input variable as ephemeral has two interesting effects for this use-case:

  1. Terraform guarantees that it won't persist that value as part of either a saved plan or a new state snapshot. (It will return an error if you try to refer to var.aws_mfa_token in any context where that would be required.)
  2. A value must be set for this variable for plan and apply separately, which deals with the fact that the MFA token used for planning will likely be invalid by the time the plan is applied.

Since this is an input variable, all of the usual ways of setting it would work: on the command line, in a .tfvars file, or using an environment variable named TF_VAR_aws_mfa_token. This is more general than a single environment variable implemented directly by the provider because it can allow for more complicated cases like authenticating to two different AWS accounts at once where both need their own separate MFA; you'd then use two separate input variables, presumably.

Adding default = null to the input variable declaration would make it optional so that a particular configuration can work both with and without an MFA requirement, for organizations where e.g. MFA is used for development environments but not in automated pipelines.

Although this approach would not make Terraform itself directly interactive, it would allow for writing a wrapper script that shows some kind of MFA prompt and then sets an ephemeral input variable via an environment variable when running terraform. Overall this is roughly the same as what you'd do if you were using JSON Web Tokens (aka "OpenID Connect")-style authentication in an auth pipeline, where again the JWT needs to be able to vary between the plan and apply phases because those too are time-limited tokens.

I mention this only in case it seems interesting as a lower-weight approach than running an external program. I do think that the external credential process option is probably the most robust thing because having the AWS provider be the one to run the program that collects the MFA token means that the AWS provider can re-run the program if the initial assume role credentials expire. That model is then similar to Git, 1Password's SSH key management, etc, where the client program (the AWS provider in this case) just blocks until interactive input is handled in some other place. But if your plan and apply processes are able to complete within a reasonable amount of time then just being able to provide a different token during the apply phase -- as ephemeral input variables allow -- is probably a good enough compromise.

@stumyp
Copy link

stumyp commented Jan 9, 2025

Thanks @apparentlymart , this is basically allows the serial parameter to get set, and leave the control to the user, whether to use ephemeral variable or not, etc. That is all I was asking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Requests to existing resources that expand the functionality or scope. provider Pertains to the provider itself, rather than any interaction with AWS.
Projects
None yet
Development

No branches or pull requests