search

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments
MIT License
8.52k stars 821 forks source link

use MFA config of SourceProfile #1249

Closed f1r3er closed 3 months ago

f1r3er commented 3 months ago

My profile file:

[profile root]
mfa_serial=arn:aws-cn:iam::xxxxxxxxxxxx:mfa/mfa
region=cn-north-1
credential_process=aws-vault export --prompt=osascript --format=json root

[profile work]
role_arn = arn:aws-cn:iam::xxxxxxxxxxxx:role/to-assume
region=cn-north-1
source_profile = root

then I run:

av login work -s --debug

I got error:

2024/07/24 15:24:30 profile root: skipping GetSessionToken because profile 'work' has no MFA serial defined
...
2024/07/24 15:24:30 [keyring] Found item "aws-vault (root)"
aws-vault: error: login: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 392da53b-2cc1-43dc-ac66-e8e0bed4ed84, api error AccessDenied: User: arn:aws-cn:iam::xxxxxxxxxx:user/mfa is not authorized to perform: sts:AssumeRole on resource: arn:aws-cn:iam::xxxxxxxxxx:role/to-assume

I think profile 'work' should use MFA config of profile 'root' . just like awscli.

➜ aws sts get-caller-identity --profile work --no-cli-pager
Enter MFA code for arn:aws-cn:iam::xxxxxxxxxx:mfa/mfa: