search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.93k forks source link

CLI: Not prompting for MFA code with AWS_PROFILE envar after CDK v2.167.0 / SDK v3 #32312

Open bwg opened 16 hours ago

bwg commented 16 hours ago

Describe the bug

When using an IAM profile/role that requires multi-factor authentication in the AWS_PROFILE envar, the CDK CLI is not prompting for the MFA code, resulting in a missing credentials error.

[09:26:47] Error: Need to perform AWS calls for account ***, but no credentials have been configured

Regression Issue

Last Known Working CDK Version

2.166

Expected Behavior

The CDK CLI should prompt for a MFA code when a profile that requires MFA is set in the AWS_PROFILE envar

Current Behavior

The CDK CLI is unable to prompt because it does not have a MFA callback handler:

[09:49:12] Resolving default credentials
[09:49:12] Unable to determine the default AWS account (CredentialsProviderError): Profile *** requires multi-factor authentication, but no MFA code callback was provided.

Reproduction Steps

in ~/.aws/.config, create a profile that requires MFA

[profile mfa-test]
duration_seconds = 43200
mfa_serial = arn:aws:iam::***:mfa/***
output = json
region = us-east-1
role_arn = arn:aws:iam::***:role/***
source_profile = ***

then export that profile to the AWS_PROFILE envar

> export AWS_PROFILE=mfa-test

now run any cdk command that performs AWS calls:

> cdk bootstrap
 ⏳  Bootstrapping environment aws://***/us-east-1...
 ❌  Environment aws://***/us-east-1 failed bootstrapping: Error: Need to perform AWS calls for account ***, but no credentials have been configured

Possible Solution

No response

Additional Information/Context

passing the --profile argument to the CDK CLI does prompt for MFA credentials

> cdk bootstrap --profile=infra
MFA token for arn:aws:iam::***:mfa/***:

The logs when using --profile

[10:29:07] Resolving default credentials
[10:29:07] Require MFA token for serial ARN arn:aws:iam::***:mfa/***

vs. logs when using AWS_PROFILE

[09:49:12] Resolving default credentials
[09:49:12] Unable to determine the default AWS account (CredentialsProviderError): Profile *** requires multi-factor authentication, but no MFA code callback was provided.

when using AWS_PROFILE the log message does identify the correct profile

CDK CLI Version

2.171.0 (build 4957967)

Framework Version

No response

Node.js Version

v20.12.2

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

ashishdhingra commented 14 hours ago

Pr #32313 pending merge.