search

aws-containers / amazon-ecs-exec-checker

🚀 Pre-flight checks for ECS Exec
MIT No Attribution
886 stars 141 forks source link

Support using MFA devices for AWS CLI commands #28

Closed toricls closed 3 years ago

toricls commented 3 years ago

This PR implements MFA support for AWS CLI commands and closes #27 🚀

image

It reads the AWS CLI configuration (by aws configure get mfa_serial) to detect if it needs an MFA code to proceed. The script also accepts an environment variable AWS_MFA_SERIAL to set the ARN of the MFA device, instead of the AWS CLI configuration.

Try it with AWS_PROFILE=<your-profile-here> bash <( curl -Ls https://raw.githubusercontent.com/toricls/amazon-ecs-exec-checker/support-mfa/check-ecs-exec.sh ) <ecs-cluster-name> <ecs-task-id>.

deleugpn commented 3 years ago

I'm not sure if I'm missing something

sh-4.2# AWS_PROFILE=customergauge_dta sh check-ecs-exec.sh Fargate 95c18c8a48e847dc94cdab124302e191
-------------------------------------------------------------
Prerequisites for check-ecs-exec.sh v0.5
-------------------------------------------------------------
  jq      | OK (/usr/bin/jq)
  AWS CLI | OK (/usr/local/bin/aws)

Type your MFA code from "arn:aws:iam::############:mfa/marco.deleu": 00000
Enter MFA code for arn:aws:iam::############:mfa/marco.deleu:

An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

Notice how I got asked twice, the first one numbers are visible and the 2nd one they're not.

toricls commented 3 years ago

Thanks @deleugpn for checking!

I'm still not sure about the cause of the error, but could you run that again with the following command to make sure you're using the latest script?

AWS_PROFILE=customergauge_dta bash <( curl -Ls https://raw.githubusercontent.com/toricls/amazon-ecs-exec-checker/support-mfa/check-ecs-exec.sh ) Fargate 95c18c8a48e847dc94cdab124302e191
deleugpn commented 3 years ago

That command seems to be broken for me, so I used that link to download the file and run it

sh-4.2# AWS_PROFILE=customergauge_dta bash <( curl -Ls https://raw.githubusercontent.com/toricls/amazon-ecs-exec-checker/support-mfa/check-ecs-exec.sh ) Fargate 95c18c8a48e847dc94cdab124302e191
sh: syntax error near unexpected token `('
sh-4.2#
sh-4.2#
sh-4.2# curl https://raw.githubusercontent.com/toricls/amazon-ecs-exec-checker/support-mfa/check-ecs-exec.sh > check-ecs-exec.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 27104  100 27104    0     0   199k      0 --:--:-- --:--:-- --:--:--  197k
sh-4.2# chmod 777 check-ecs-exec.sh
sh-4.2# AWS_PROFILE=customergauge_dta sh check-ecs-exec.sh Fargate 95c18c8a48e847dc94cdab124302e191
-------------------------------------------------------------
Prerequisites for check-ecs-exec.sh v0.5
-------------------------------------------------------------
  jq      | OK (/usr/bin/jq)
  AWS CLI | OK (/usr/local/bin/aws)

Type your MFA code from "arn:aws:iam::##########:mfa/marco.deleu": 000000
Enter MFA code for arn:aws:iam::::##########:mfa/marco.deleu:

An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials
toricls commented 3 years ago

Thank you! I fixed an issue that the script couldn't handle an MFA + AssumeRole case correctly, so hope it works this time! 🙏

deleugpn commented 3 years ago

Awesome! This seems to work great!