Comments (3)
Hi Jonathan,
First off, thanks sooo much for trying Qaz and opening this issue, need all the feedback I can get :-)
Thanks for spotting this. This is one is definitely something that needs to be fixed. I'm currently working on version v0.52-beta, I'll add this to the list of bugs to fix.
In the meantime, I'll recommend an alternative solution. I work heavily with multiple accounts and roles in my day-to-day, I've found that specifying the mfa_serial in config can be a massive pain, as I need to re-enter my MFA code for each call. This can be a pain when you're dealing with over a dozen accounts with roles.
Solution
I normally override my MFA based default or source profiles with an MFA Authenticated Token. For example, here's my setup.
~/.aws/config
[profile default]
aws_secret_access_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
aws_access_key_id = "xxxxxxxxxxxxxxxxxxxx"
region = "eu-west-1"
[profile staging]
role_arn = "arn:aws:iam::999999999:role/staging"
source_profile = "default"
Note that this is the ~/.aws/config file, not the same as ~/.aws/credentials.
The staging role above does actually require MFA authentication via the source. So how I handle this is by using the following command.
$ aws sts get-session-token --serial-number arn:aws:iam::12345678910:mfa/jrudge --token-code <your 6-digit MFA code> --duration-seconds 28800
This command will return credentials and a session token which I store in my ~/.aws/credentials file.
~/.aws/credentials
[default]
aws_session_token = "xxxxxxxxxxxxxxxxxxxxxxxxxx"
aws_secret_access_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
aws_access_key_id = "xxxxxxxxxxxxxxxxxxxx"
So, what's actually happening. Well, the next time I try to switchrole to staging, instead of reading the credentials for the default profile in ~/.aws/config, it will use those in ~/.aws/credentials as source and assume the role that way. Since the credentials are already MFA authenticated for xx amount hours/seconds, it won't ask for an MFA code to assume the role.
It may seem like an odd hoop to jump through, however, note the --duration-seconds
on the command above. This allows you to set the session for up to 24 hours. That'll be 24 hours without needing to re-enter your MFA key.
I recommend this method if you're working heavily with MFA authenticated Roles,
Note: You'll need to move your credentials from ~/aws/credentials to ~/.aws/config and only use the ~/.aws/credentials file for overriding credentials. Most AWS SDKs and the CLI tools look for credentials in the following order.
- ENV Variables
- ~/.aws/credentials
- ~/.aws/config
--
Let me know if this helps at all.
And thanks again for creating this issue, I'll have this bug fixed soon.
Best,
Shaun
from qaz.
Thank you for the prompt and detailed reply. I am stuck doing something else at the moment but your method sounds quite good. I will certainly give it a try.
Thanks :)
from qaz.
Resolved in #18 Release
from qaz.
Related Issues (19)
- Change-Set Management HOT 1
- Run arbitrary pre- and post-tasks HOT 8
- Upload large templates to s3 prior to deployment HOT 4
- Implement Debugging HOT 1
- Reduce API Calls HOT 1
- Support sprig template function HOT 1
- Support looking for both config.yml AND config.yaml
- Testing!!! HOT 2
- Environments? HOT 3
- Question: can delimiters be quoted? HOT 2
- support for notification-arns in qaz HOT 4
- Implement Tail HOT 2
- AWS Credentials Chain HOT 1
- Feature discussion: update preview HOT 3
- Lambda Invoke HOT 1
- Automate Binary Releases HOT 1
- Not Handling Error when Deploy is made for Stack that is not defined. HOT 1
- Handling Stack Parameters HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from qaz.