AWS Profiles doesn't work with MFA set about qaz HOT 3 CLOSED

Hi Jonathan,

First off, thanks sooo much for trying Qaz and opening this issue, need all the feedback I can get :-)

Thanks for spotting this. This is one is definitely something that needs to be fixed. I'm currently working on version v0.52-beta, I'll add this to the list of bugs to fix.

In the meantime, I'll recommend an alternative solution. I work heavily with multiple accounts and roles in my day-to-day, I've found that specifying the mfa_serial in config can be a massive pain, as I need to re-enter my MFA code for each call. This can be a pain when you're dealing with over a dozen accounts with roles.

Solution

I normally override my MFA based default or source profiles with an MFA Authenticated Token. For example, here's my setup.

~/.aws/config

[profile default]
aws_secret_access_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
aws_access_key_id = "xxxxxxxxxxxxxxxxxxxx"
region = "eu-west-1"

[profile staging]
role_arn = "arn:aws:iam::999999999:role/staging"
source_profile = "default"

Note that this is the ~/.aws/config file, not the same as ~/.aws/credentials.

The staging role above does actually require MFA authentication via the source. So how I handle this is by using the following command.

$ aws sts get-session-token --serial-number arn:aws:iam::12345678910:mfa/jrudge --token-code <your 6-digit MFA code> --duration-seconds 28800

This command will return credentials and a session token which I store in my ~/.aws/credentials file.

~/.aws/credentials

[default]
aws_session_token = "xxxxxxxxxxxxxxxxxxxxxxxxxx"
aws_secret_access_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
aws_access_key_id = "xxxxxxxxxxxxxxxxxxxx"

So, what's actually happening. Well, the next time I try to switchrole to staging, instead of reading the credentials for the default profile in ~/.aws/config, it will use those in ~/.aws/credentials as source and assume the role that way. Since the credentials are already MFA authenticated for xx amount hours/seconds, it won't ask for an MFA code to assume the role.

It may seem like an odd hoop to jump through, however, note the --duration-seconds on the command above. This allows you to set the session for up to 24 hours. That'll be 24 hours without needing to re-enter your MFA key.

I recommend this method if you're working heavily with MFA authenticated Roles,

Note: You'll need to move your credentials from ~/aws/credentials to ~/.aws/config and only use the ~/.aws/credentials file for overriding credentials. Most AWS SDKs and the CLI tools look for credentials in the following order.

1. ENV Variables
2. ~/.aws/credentials
3. ~/.aws/config

--

Let me know if this helps at all.

And thanks again for creating this issue, I'll have this bug fixed soon.

Best,

Shaun

from qaz.

Thank you for the prompt and detailed reply. I am stuck doing something else at the moment but your method sounds quite good. I will certainly give it a try.

Thanks :)

from qaz.

Resolved in #18 Release

from qaz.