mfa_process not working with aws cli commands

mleone87 commented 1 year ago

[X] I am using the latest release of AWS Vault
[X] I have provided my .aws/config (redacted if necessary)
[X] I have provided the debug output using aws-vault --debug (redacted if necessary)

I have this simple config

[default]
region=eu-west-3
output=json
mfa_serial=myserial
credential_process=aws-vault export --format=json --no-session --debug default
mfa_process=pass otp myotp

[profile profile1]
role_arn=myrole
mfa_process=pass otp myotp
mfa_serial=myserial
source_profile=default

pass is the backend via ENV variable pass otp is otp provider and it works called by itself

I expect to be able to run aws s3 ls --profile profile1 but OTP prompt is asked

My tests so far:

aws-vault exec profile1 -- aws s3 ls works aws s3 ls --profile profile1 asks for MFA

aws exec default -- aws s3 ls works aws s3 ls works

aws-vault exec profile1 -- aws s3 ls command output for reference

aws-vault exec profile1 --debug -- aws s3 ls
2023/04/21 10:18:51 aws-vault 7.2.0-Homebrew
2023/04/21 10:18:51 Using prompt driver: terminal
2023/04/21 10:18:51 Loading config file /Users/***/.aws/config
2023/04/21 10:18:51 Parsing config file /Users/***/.aws/config
2023/04/21 10:18:51 [keyring] Considering backends: [pass]
2023/04/21 10:18:51 profile staging: sourcing credentials from profile default
2023/04/21 10:18:51 profile default: using stored credentials
2023/04/21 10:18:51 profile default: using GetSessionToken (with MFA)
2023/04/21 10:18:51 profile staging: using AssumeRole (chained MFA)
2023/04/21 10:18:51 Setting subprocess env: AWS_REGION=eu-west-3, AWS_DEFAULT_REGION=eu-west-3
2023/04/21 10:18:51 Executing mfa_process
2023/04/21 10:18:51 Looking up keyring for 'default'
2023/04/21 10:18:52 Generated credentials ******************** using GetSessionToken, expires in 7h59m59.591003s
2023/04/21 10:18:52 Generated credentials ******************** using AssumeRole, expires in 59m59.316593s
2023/04/21 10:18:52 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/04/21 10:18:52 Setting subprocess env: AWS_SESSION_TOKEN
2023/04/21 10:18:52 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2023/04/21 10:18:52 Exec command aws s3 ls
2023/04/21 10:18:52 Found executable /opt/homebrew/bin/aws

edentsai commented 1 year ago

because mfa_process is an custom option designed by aws-vault, see https://github.com/99designs/aws-vault/pull/1006#issuecomment-1290805875
aws CLI doesn't support mfa_process: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

edentsai commented 1 year ago

According to USAGE.md: Using credential_process:

Note that credential_process is designed for retrieving master credentials, while aws-vault outputs STS credentials by default. If a role is present, the AWS CLI/SDK uses the master credentials from the credential_process to generate STS credentials itself. So depending on your use-case, it might make sense for aws-vault to output master credentials by using a profile without a role and the --no-session argument. For example:
[profile jon]
credential_process = aws-vault export --no-session --format=json jon

[profile work]
mfa_serial = arn:aws:iam::123456789012:mfa/jonsmith
role_arn = arn:aws:iam::33333333333:role/role2
source_profile = jon

here is an example to make aws s3 ls --profile profile1 works with aws-vault and mfa_process:

  [default]
  region=eu-west-3
  output=json
  mfa_serial=myserial
  credential_process=aws-vault export --format=json --no-session --debug default
  mfa_process=pass otp myotp

- [profile profile1]
+ [profile profile1:credential]
  role_arn=myrole
  mfa_process=pass otp myotp
  mfa_serial=myserial
  source_profile=default

+ [profile profile1]
+ credential_process = aws-vault export --format=json --no-session --debug "profile1:credential"

edentsai commented 1 year ago

After a few of experiments, i noticed the problem is caused by AWS SDK when the profile contains role_arn option:

Run aws --profile profile1 ... works when the profile1 not contains role_arn:

  [profile profile1]
-  role_arn = myrole
  mfa_serial = myserial
  mfa_process = pass otp myotp
  credential_process = aws-vault export --format=json --no-session --debug default

Run aws --profile profile1 ... will asks a MFA token when the profile1 contains role_arn:

  [profile profile1]
+ role_arn = myrole
  mfa_serial = myserial
  mfa_process = pass otp myotp
  credential_process = aws-vault export --format=json --no-session --debug default

I guess when AWS CLI SDK read a profile contains role_arn option, it use a difference behavior to ask a MFA token by itself (AWS CLI SDK). the MFA token prompt is not asked by credential_process = aws-vault export ... or aws-vault.

my previous comment has a workaround solution by separate role_arn and credential_process in difference profiles to make it works correctly:

- [profile profile1]
+ [profile profile1:credential]
  role_arn=myrole
  mfa_process=pass otp myotp
  mfa_serial=myserial
  source_profile=default

+ [profile profile1]
+ credential_process = aws-vault export --format=json --no-session --debug "profile1:credential"

github-actions[bot] commented 11 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

99designs / aws-vault

mfa_process not working with aws cli commands #1204