search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.54k stars 4.12k forks source link

Support mfa without assume role. #1985

Open glennpratt opened 8 years ago

glennpratt commented 8 years ago

Given the following profile:

[profile test]
region = us-east-1
mfa_serial = arn:aws:iam::012345678901:mfa/glennpratt

aws-cli never asks for an MFA token and I don't receive IAM permissions granted to MFA users. Here's the policy:

{  
    "Version":"2012-10-17",
    "Statement":[  
        {  
            "Condition":{  
                "NumericLessThan":{  
                    "aws:MultiFactorAuthAge":"43200"
                }
            },
            "Action":"*",
            "Resource":"*",
            "Effect":"Allow"
        }
    ]
}

And the error:

aws iam create-access-key --profile test --user glenn.pratt

A client error (AccessDenied) occurred when calling the CreateAccessKey operation: User: arn:aws:iam::012345678901:user/glennpratt is not authorized to perform: iam:CreateAccessKey on resource: user glennpratt

If I add a role_arn, then aws-cli asks for an MFA token and assumes role, but we want to grant user permissions without assuming a role.

jamesls commented 8 years ago

Marking as a feature request. The CLI currently does not support this, but it would be nice to have.

ksperling commented 7 years ago

Those waiting for this feature might want to have a look at https://github.com/lonelyplanet/aws-mfa (unfortunately it seems unmaintained).

One feature I would particularly like in this context is to be able to spawn a sub-shell via a command like aws shell such that the temporary credentials are only cached in the environment of that shell process rather than written to disk. This feature would also be beneficial in the context of assume role.

ksperling commented 7 years ago

I've implemented a shell script called aws-session that prompts for MFA credentials and makes them available in an interactive shell (think sudo -s for AWS).

At the moment it only supports STS GetSessionToken, but I may add AssumeRole support as well. One difference compared to the native AssumeRole support in the CLI is that the temporary credentials (intentionally) do not get persisted, so they can easily be discarded just by closing the shell.

pwaller commented 7 years ago

I've also written something called aws-creds which caches credentials (or can be used to invoke a shell with the credentials in it) and also supports AssumeRole. I think there are a few of these out there, I already know two other organisations which have their own scripts for doing this. It would be great to see this implemented in the official tooling.

ASayre commented 6 years ago

Good Morning!

We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI.

This will let us get the most important features to you, by making it easier to search for and show support for the features you care the most about, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea is posted, people can vote on the ideas, and the product team will be responding directly to the most popular suggestions.

We’ve imported existing feature requests from GitHub - Search for this issue there!

And don't worry, this issue will still exist on GitHub for posterity's sake. As it’s a text-only import of the original post into UserVoice, we’ll still be keeping in mind the comments and discussion that already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs.

Once again, this issue can now be found by searching for the title on: https://aws.uservoice.com/forums/598381-aws-command-line-interface

-The AWS SDKs & Tools Team

This entry can specifically be found on UserVoice at: https://aws.uservoice.com/forums/598381-aws-command-line-interface/suggestions/33168322-support-mfa-without-assume-role

salmanwaheed commented 6 years ago

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred:

mkdirenv@gmail.com Domain salmanwaheed.info has exceeded the max emails per hour (186/150 (124%)) allowed. Message will be reattempted later

------- This is a copy of the message, including all the headers. ------ Received: from o8.sgmail.github.com ([167.89.101.199]:57580) by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89_1) (envelope-from bounces+848413-a7b0-hello=salmanwaheed.info@sgmail.github.com) id 1ej0RO-001c37-GQ for hello@salmanwaheed.info; Tue, 06 Feb 2018 03:25:31 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=Fr89r4On8a1r6VY5SkJJNwy4Nx8=; b=toumNFHfeuc5+40X sUQLSduCNXTGyvYwL6pVxwTn5ZiEweoerDvNTBBec6XbIR2eutBHKSq+qFqrAcap 2fQ30GzuVgK5cgSjJYeTLXb2SvvdgVxYxqFI/gGRc5Usv4jFk4MQiQsIgZJbxuw5 D5sAFggmG2AzkhUlLX0SyxJptf8= Received: by filter0035p1las1.sendgrid.net with SMTP id filter0035p1las1-16682-5A79828F-1A 2018-02-06 10:25:19.672583041 +0000 UTC Received: from github-smtp2a-ext-cp1-prd.iad.github.net (github-smtp2a-ext-cp1-prd.iad.github.net [192.30.253.16]) by ismtpd0014p1iad2.sendgrid.net (SG) with ESMTP id ewEZaVmDRJ-aYMm9WnWRPA for hello@salmanwaheed.info; Tue, 06 Feb 2018 10:25:19.573 +0000 (UTC) Date: Tue, 06 Feb 2018 10:25:19 +0000 (UTC) From: Andre Sayre notifications@github.com Reply-To: aws/aws-cli reply@reply.github.com To: aws/aws-cli aws-cli@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Message-ID: aws/aws-cli/issue/1985/issue_event/1459793603@github.com In-Reply-To: aws/aws-cli/issues/1985@github.com References: aws/aws-cli/issues/1985@github.com Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: ASayre X-GitHub-Recipient: salmanwaheed X-GitHub-Reason: subscribed List-ID: aws/aws-cli List-Archive: https://github.com/aws/aws-cli List-Post: mailto:reply@reply.github.com List-Unsubscribe: mailto:unsub+00ef1b38942a318fc72318f5914b2406e7a5c04402e65e0092cf000000011691448f92a169ce094c45b3@reply.github.com, https://github.com/notifications/unsubscribe/AO8bODX4v_faMmuIp_OVmAUccpS9fzY5ks5tSCiPgaJpZM4IjU3M X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: hello@salmanwaheed.info X-SG-EID: 92ws1MVnlto3blxqXlf5goB0ee0kdDGWR6vcWx8d64/8pOhCcaPkq+rGtzL9C9I6BNj9+S4t9ZKdXQ SvQf8sFgO9hRFhatpRlEX55HtHVJk/e5l+F0h1xp42Bu9hOU2lvGQ6mZ1ZnyDI7E/qE6i98fMF50dF HrWm5yGoYIgAbgX8ZL2zqrgHEcP6iZN8v4sb0hr3Nr1Nebm47kD09amqJ8VtA92CLkStJGqDm8nGWA I= X-Spam-Status: No, score=-0.4 X-Spam-Score: -3 X-Spam-Bar: / X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details.

Content preview: Closed aws/aws-cli#1985. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/aws/aws-cli/issues/1985#event-1459793603 Closed aws/aws-cli#1985. [...]

Content analysis details: (-0.4 points, 5.0 required)

pts rule name description

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: github.com] -0.5 SPF_PASS SPF: sender matches SPF record -1.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [167.89.101.199 listed in wl.mailspike.net] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 HTML_MESSAGE BODY: HTML included in message 0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.5 DCC_CHECK No description available. -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.8 RCVD_IN_MSPIKE_WL Mailspike good senders -1.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Spam-Flag: NO

----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit

Closed aws/aws-cli#1985.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/aws/aws-cli/issues/1985#event-1459793603 ----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Closed #1985.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170--

salmanwaheed commented 6 years ago

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred:

mkdirenv@gmail.com Domain salmanwaheed.info has exceeded the max emails per hour (187/150 (124%)) allowed. Message will be reattempted later

------- This is a copy of the message, including all the headers. ------ ------ The body of the message is 6170 characters long; only the first ------ 5000 or so are included here. Received: from github-smtp2-ext6.iad.github.net ([192.30.252.197]:60912 helo=github-smtp2b-ext-cp1-prd.iad.github.net) by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from noreply@github.com) id 1ej0RR-001c3U-9t for hello@salmanwaheed.info; Tue, 06 Feb 2018 03:25:33 -0700 Date: Tue, 06 Feb 2018 02:25:21 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1517912721; bh=F4Z/NdKuUHKikHp3+zaJPlQHGZiJ4WDvS4uXRxMSE9g=; h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Q2NdxaajIIOP9c88o9Ln3Jwp0WrRFsVU2Ektsz4uHoHqNdxq+i5gMV2uKibxOX19L mg86yb1gQk+DFaEaMDc3ipr8m3XEz/p0Vy3m9UxxscvfgQmMNPGrLzm7ZWvdoJfF3n Uk8iy1e8O+Pn21zBMPiVfUSSDGY2w9SlQJdQMJiA= From: Andre Sayre notifications@github.com Reply-To: aws/aws-cli reply@reply.github.com To: aws/aws-cli aws-cli@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Message-ID: aws/aws-cli/issues/1985/363378537@github.com In-Reply-To: aws/aws-cli/issues/1985@github.com References: aws/aws-cli/issues/1985@github.com Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: ASayre X-GitHub-Recipient: salmanwaheed X-GitHub-Reason: subscribed List-ID: aws/aws-cli List-Archive: https://github.com/aws/aws-cli List-Post: mailto:reply@reply.github.com List-Unsubscribe: mailto:unsub+00ef1b3806a67678faf26f0a785048b727ee591e85d9594592cf000000011691449192a169ce094c45b3@reply.github.com, https://github.com/notifications/unsubscribe/AO8bOKRhA1vUJ4SDb1X6vZjhZ_VZMP7gks5tSCiRgaJpZM4IjU3M X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: hello@salmanwaheed.info X-Spam-Status: No, score=-1.1 X-Spam-Score: -10 X-Spam-Bar: - X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details.

Content preview: Good Morning! We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI. [...]

Content analysis details: (-1.1 points, 5.0 required)

pts rule name description

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: uservoice.com] -0.5 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.5 AWL AWL: Adjusted score from AWL reputation of From: address X-Spam-Flag: NO

----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Good Morning!

We're closing this issue here on GitHub, as part of our migration to Use= rVoice for feature requests involving the AWS CLI.

This will let us get the most important features to you, by making it eas= ier to search for and show support for the features you care the most abo= ut, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea is p= osted, people can vote on the ideas, and the product team will be respond= ing directly to the most popular suggestions.

We=E2=80=99ve imported existing feature requests from GitHub - Search for= this issue there!

And don't worry, this issue will still exist on GitHub for posterity's sa= ke. As it=E2=80=99s a text-only import of the original post into UserVoi= ce, we=E2=80=99ll still be keeping in mind the comments and discussion th= at already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs. =

Once again, this issue can now be found by searching for the title on: ht= tps://aws.uservoice.com/forums/598381-aws-command-line-interface =

-The AWS SDKs & Tools Team

-- =

You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/aws/aws-cli/issues/1985#issuecomment-363378537=

----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Good Morning!

We're closing this issue here on GitHub, as part of our migration to <= a href=3D"https://aws.uservoice.com/forums/598381-aws-command-line-interf= ace" rel=3D"nofollow">UserVoice for feature requests involving the AW= S CLI.

This will let us get the most important features to you, by making it = easier to search for and show support for the features you care the most = about, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea i= s posted, people can vote on the ideas, and the product team will be resp= onding directly to the most popular suggestions.

We=E2=80=99ve imported existing feature requests from GitHub - Search = for this issue there!

And don't worry, this issue will still exist on GitHub for posterity's= sake. As it=E2=80=99s a text-only import of the original post into User= Voice, we=E2=80=99ll still be keeping in mind the comments and discussion= that already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs.

Once again, this issue can now be found by searching for the title on:= https://aws.uservoice.com/forums/598381-aws-comma= nd-line-interface

-The AWS SDKs & Tools Team

<p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">&m= dash;
You are receiving this because you are subscribed to this thre= ad.
Reply to this email directly, <a href=3D"https://github.com/aws/= aws-cli/issues/1985#issuecomment-363378537">view it on GitHub, or <a = href=3D"https://github.com/notifications/unsubscribe-auth/AO8bOMlWpV1dKXK= SizUST3b5uTzkSIgnks5tSCiRgaJpZM4IjU3M">mute the thread.<img alt=3D"" = height=3D"1" src=3D"https://github.com/notifications/beacon/AO8bODBqt6N1r= l-cepPSV9FjSX2zJ3LZks5tSCiRgaJpZM4IjU3M.gif" width=3D"1" />

<div itemscope itemtype=3D"http://schema.org/EmailMessage"> <div itemprop=3D"action" itemscope itemtype=3D"http://schema.org/ViewActi= on"> <link itemprop=3D"url" href=3D"https://github.com/aws/aws-cli/issues/19= 85#issuecomment-363378537"> <meta itemprop=3D"name" content=3D"View Issue">
<meta itemprop=3D"description" content=3D"View this Issue on GitHub"></me= ta>

<script type=3D"application/json" data-scope=3D"inboxmarkup">{"api_versio= n":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name"= :"GitHub"},"entity":{"external_key":"github/aws/aws-cli","title":"aws/aws= -cli","subtitle":"GitHub repository","main_image_url":"https://cloud.gith= ubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c= 7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/= 143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name= ":"Open in GitHub","url":"https://github.com/aws/aws-cli"}},"updates":{"s= nippets":[{"icon":"PERSON","message":"@ASayre in aws/aws-cli#1985: Good Morning!\r\n= \r\nWe're closing this issue here on GitHub, as part of our migration to = UserVoice for feature requests involving the AWS CLI.\r\n\r\nThis will let u= s get the most important features t

jamesls commented 6 years ago

Based on community feedback, we have decided to return feature requests to GitHub issues.

ahl commented 5 years ago

Seems like a dupe of https://github.com/aws/aws-sdk/issues/529 and https://github.com/aws/aws-cli/pull/3174

tb3088 commented 5 years ago

With AWS Professional Services incessantly pushing MFA and heavy use of account separation and assume-role and friends, the least the tools team could do is keep up, eh?

tb3088 commented 5 years ago

this is a common IAM template fragment that the lack of support means things get annoying, fast. A more complete example.

        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:GetAccountSummary",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
cornfeedhobo commented 5 years ago

Please implement this, like, yesterday. https://github.com/aws/aws-cli/pull/3174 https://github.com/boto/botocore/pull/1399

whereismypen commented 2 years ago

How can this not be merged by now? The solution is waiting here. As the others here have said, this would be a great aid in time and a step up in security.

Angelin01 commented 2 years ago

6 years later and this is not supported. Thousands of mini shell scripts using sts assume-role and similar solutions just to get around this.

People will only implement extra protections if it is a good trade off between convenience and added security, and as of right now using MFA on the CLI is a huge inconvenience because of this and https://github.com/aws/aws-cli/pull/3174. Having worked with a lot of folks using AWS, I can count on my fingers how many permanently adopted MFA for the CLI, and of those who did everyone hacked together some sort of alternative solution to this exact issue.

irl-segfault commented 2 years ago

Agreed that it's strange to not have been fixed yet, however at least you can have MFA work (be prompted for) as long as the profile you're using assumes a role. Temp credentials are stored in ~/.aws/cli/cache, so you don't need a wrapper/scaffold script to update your ~/.aws/credentials file. Having users interact with the API via a Role is a better practice anyways, though I feel everyone's pain.

tb3088 commented 2 years ago

I do all that - look at cache, etc. in my scripts. The point is there should NOT be an assume-role required for MFA to be invoked. It's a bogus dependency that the API writers just jammed in there without thinking. The API writers have some glaring blind spots - namely naming consistency for starters.

irl-segfault commented 2 years ago

I don't disagree, just saying there's an easy workaround -- create a role, allow your user to assume the role, and add the roleARN to your ~/.aws/credentials until this is fixed. Agree it's not necessary / confusing.

whereismypen commented 2 years ago

Another quarter has lapsed and still nothing. No update, no progress, not even a promise. Even Google supports MFA on gcloud (with token even 👍 ).

sebandgo commented 2 years ago

It's becoming embarrassing 🤦. A 6 years old feature request, oh dear...

whereismypen commented 1 year ago

Another quarter and this hasn't made any progress. Decision makers should consider this when choosing platforms. @SebastianGogoasa - It's past embarrassing.

sebandgo commented 1 year ago

@whereismypen agree. I bet @glennpratt who originally raised this issue back in 2016 is very close to its retirement age.

I may be wrong but my guess is that AWS is working on a DNA based type of authentication for its CLI and I don't think we'll need this feature anymore... no more MFA, ADFS and all that non-sense.

That was a joke, but seriously this is a matter of security. What's the point in setting up MFA for the console when most of the developers are using the CLI on a daily basis.

gitnik commented 1 year ago

Let's try it again. More than 6 months later

cornfeedhobo commented 1 year ago

After more life experience, here is my $0.02:

Any company that has a big enough budget to get AWS to assign developer hours, is not using MFA directly in this way.

If you feel differently and work at a big company, then you will need to email this issue to your account's solution architect. That is the only way this will get attention. Don't hesitate. That's what they are there for.