Closed m-radzikowski closed 3 years ago
Hi @m-radzikowski, thanks for reaching out to us! When generating credentials for plain account, under the hood we call STS's get-session-token API, through which we generate short-term credentials that come with some limitations (if MFA information is not included in the request), as described in this link. In particular, I want to highlight a statement:
The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions: You cannot call any IAM API operations unless MFA authentication information is included in the request. You cannot call any STS API except AssumeRole or GetCallerIdentity.
To test if it behaves like described in the docs, try to set up MFA for the specific IAM User; remember to add the MFA device in the plain account configuration, otherwise Leapp will not ask you for the MFA token before generating short-term credentials.
I hope it makes sense now. I will leave this issue open until you confirm this behavior. If you think this needs furthr investigation, please let us know. In the meanwhile, thank you very much for your support!
Damn, I was looking in AWS docs but did not find it. Thank you! Enabling MTA in fact helps (also to protect my account π ).
We will add this precious FAQ in the Wiki π
Added under the security section
Hi everyone!
Since we've added the proper documentation section in the wiki, I consider this issue closed. Let me know if it does not make sense to you
Describe the bug I have a private AWS account for which I use an user access key + secret key. This user has
AdministratorAccess
policy attached.I've added it to Leapp as AWS account with "plain" auth method, and provided credentials. When I activate this account, I got correct response for the
aws sts get-caller-identity
with my user ARN.But some commands fail. When I try to execute
aws iam list-roles
oraws iam get-role
, I'm getting:When I set the same access key + secret key in the
.aws/credentials
file manually, both those commands work correctly.Interestingly, this does not occur on the accounts to which I connect with another, truster account (through another federated account with SSO).
I know that Leapp generates temporary access credentials instead of putting raw access key + secret key in config. I looked briefly into commands and code and did not find anything that would justify the limited access on the first spot.
To Reproduce Steps to reproduce the behavior:
aws iam list-roles
from CLIExpected behavior
Assumed role should have all the access the normal role has.
Desktop (please complete the following information):
Additional context
This problem is a deal-breaker because the Serverless Framework / CloudFormation uses those calls when deploying a Lambda function and its Role.