Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Add Support for assumeRoles with enforced MFA #3885

Closed
wants to merge 3 commits into from
Closed

WIP: Add Support for assumeRoles with enforced MFA #3885

wants to merge 3 commits into from

Conversation

n3ph
Copy link
Contributor

@n3ph n3ph commented Mar 22, 2018

In order to deal with assumeRoles expecting to use MFA we could at least use stscreds.StdinTokenProvider.

This fixes #226 #2420 and enhances #1275
Also requested in hashicorp/terraform#11270 and hashicorp/terraform#1275

@ghost ghost added the size/XS Managed by automation to categorize the size of a PR. label Mar 22, 2018
@n3ph n3ph changed the title Initial Commit Add Support for assumeRole with enforced MFA Mar 22, 2018
@n3ph n3ph changed the title Add Support for assumeRole with enforced MFA WIP: Add Support for assumeRole with enforced MFA Mar 22, 2018
@ghost ghost added the size/XS Managed by automation to categorize the size of a PR. label Mar 22, 2018
@n3ph
Copy link
Contributor Author

n3ph commented Mar 22, 2018

This is working so far by following setup:

  1. configuration in .aws/config
[default]
output = json
region = eu-central-1
mfa_serial = arn:aws:iam::000000000000:mfa/some_device

[profile full_access_mfa]
role_arn = arn:aws:iam::111111111111:role/FullAccessMFA
source_profile = default
  1. credentials separately in .aws/credentials
[default]
aws_access_key_id = foo
aws_secret_access_key = bar
  1. Terraform provider in main.tf
provider "aws" {
  region  = "eu-central-1"
  profile = "full_access_mfa"
  mfa     = true
}
  1. AssumeRole arn:aws:iam::111111111111:role/FullAccessMFA
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000000:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

So far there is no prompt showing up. It seems like the stdout from the provider plugin is suppressed. Submitting without entering a code would lead to:

Error: Error running plan: 1 error(s) occurred:

* provider.aws: unexpected newline

Additionally this will not work with multiple providers using MFA enforced assumeRole profiles (https://github.com/aws/aws-sdk-go/blob/master/aws/credentials/stscreds/assume_role_provider.go)

Any suggestions or recommendations how to improve this attempt?

@n3ph n3ph changed the title WIP: Add Support for assumeRole with enforced MFA WIP: Add Support for assumeRoles with enforced MFA Mar 22, 2018
@bflad bflad added enhancement Requests to existing resources that expand the functionality or scope. provider Pertains to the provider itself, rather than any interaction with AWS. labels Mar 22, 2018
@ghost ghost added size/S Managed by automation to categorize the size of a PR. and removed size/XS Managed by automation to categorize the size of a PR. labels Mar 22, 2018
@ghost ghost added the size/S Managed by automation to categorize the size of a PR. label Mar 22, 2018
@cornfeedhobo
Copy link

@n3ph Love the work you are doing here. Would you be opposed to avoiding the mfa = true configuration parameter? It'd be nice if the provider could automatically deduce that a mfa prompt is needed.

@nergdron
Copy link

any idea on when this might get merged? it's pretty important for our workflows, where have enforced MFA and multiple roles.

@kmaris
Copy link

kmaris commented Jun 26, 2018

@nergdron I have a small wrapper script that I've been using here: https://gitlab.com/kmaris/wtf while this PR gets merged.

@n3ph
Copy link
Contributor Author

n3ph commented Aug 19, 2018

As already described this attempt is not working when you use multiple providers since every MFA Token could be used just once.. This leads to problems like this one:

* provider.aws: error validating provider credentials: error calling sts:GetCallerIdentity: AccessDenied: MultiFactorAuthentication failed with invalid MFA one time pass code. 
	status code: 403, request id: 9ab3efc0-a3bd-11e8-bceb-27eb86ea1be1

I am going to close this..

@n3ph n3ph closed this Aug 19, 2018
@ghost
Copy link

ghost commented Apr 3, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. provider Pertains to the provider itself, rather than any interaction with AWS. size/S Managed by automation to categorize the size of a PR.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Request: Support tags in spot fleet request and instances
5 participants