Open lrvick opened 6 years ago
AFAIK, U2F generally only works in a web browser. How would you expect it to be used from CLI? Fire up a browser?
@JensRantil Nope, any sort of application can interact with a U2F token.
Source: I maintain libu2f-*
and pam-u2f
in Debian ;)
Looks like U2F isn't supported for API access yet:
You cannot use MFA-protected API access with U2F security keys.
That said, I've definitely passed this feedback on to the service team. My own experience has been that U2F is 100000x more useable than any other second factor so I'd love to see it even for my own use.
The one caveat is that this would need to be a V2 feature since I'm fairly certain we have to pull in c dependencies to interact with the u2f token.
@JordonPhillips FYI, there is a Python U2F host library from Yubico; it's itself 100% Python, but depends on hidapi
, which IIRC uses libusb
and libudev
.
OTOH, it's already available in all major distros, so that shouldn't be a big deal?
It would also require (like any use of U2F) that the user can interact with the U2F device; Yubico maintains udev rules upstreams in libu2f-host
, that I shipped in Debian as libu2f-udev
(so they can be installed without pulling in the C library), which is a dependency of task-desktop
(starting in Debian 10 βbusterβ), so most users will have it installed out of the box; in stretch (the current Debian stable), we shipped the udev rules for U2F in the udev
package, so it's available there too.
TL;DR: Debian should have the right permissions for U2F devices in jessie onwards (released over a year ago), and so should all Debian derivatives (unless they went out of their way to break U2F...)
This would be hugely helpful for me. Getting out my phone 10-20 times a day to copy TOTPs is not fun. π If I could just tap my Yubikey instead, my aws-cli experience would be so much more pleasant.
@nbraud it looks like the python interface they use doesn't provide linux wheels, so installing that would require that the user has a compiler installed. This isn't currently a requirement to install the cli, so adding that library would be a breaking change for many users.
@JordonPhillips Regarding introducing a breaking change... I can imagine a couple of approaches that would let enthusiastic users benefit from this early without breaking things for less adventurous users:
Make it an optional dependency in v1, and then people who really care about it can compile with a special flag to enable it. In this way they opt in to "previewing" what will eventually be part of the v2 client by default.
Split the U2F piece into a separate binary, and detect its presence at runtime. Then users who attempt to use the AWS CLI with U2F would be told "install this other tool" to make it work. So, on Mac, for example, I would be one brew install aws-cli-u2f
away from bliss. π
Yeah, I'd be more than happy to install an optional compile-from-source module to get this functionality. It would only be needed on developer machines β which would almost always have a compiler already β and not on servers anyway.
An alternative to python-u2f-host would be python-fido2 which gets you out from needing the C libraries for USB HID and means you only need the Cryptography library which ships wheels...
I'll be holding my breath for this π
As far as I understand this issue STS/IAM will have to gain API support for security keys as MFA tokens before moving forward with this?
As far as I understand this issue STS/IAM will have to gain API support for security keys as MFA tokens before moving forward with this?
Can anyone shed light on this? Surely if it's not already supported then it's just around the corner...?
EDIT:
Please don't let this turn out to be one of those cringeworthy cases where a company assumes none of their customers care about a feature, because they implemented the not-super-useful version and then nobody used it.
I never use the web UI for logging in to the Amazon console. It's all CLI-driven for me, because I have several accounts I need to deal with (etc.). And even if I did use the web UI to log in, then as it stands I'd need to faff about with duplicate accounts of all my existing accounts for use with U2F, because I'd still need to use my old Google/LastPass/whatever authenticator for all aws-cli
stuff.
So... AWS's U2F support has the potential to become something that I'd be really enthusiastic about, but without CLI support it's not yet worth touching. I imagine a lot of people are in the same boat.
@jeffparsons totally agree U2F MFA for the CLI/SDK is really needed. I bet they would resist doing the libusb/python-fido approach as it does not map well to doing it on the ruby/java ect SDKs. U2F with a one touch challenge response would be pretty universal though.
btw you can switch accounts in the web console very easily by assuming a role on the other account like: https://signin.aws.amazon.com/switchrole?roleName=SomeAdminRole&account=YourAccountNumberOrAlias see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
You can then see the role switcher in your user/account dropdown in the upper right of the page
also this guy might be on to something... https://gist.github.com/woowa-hsw0/caa3340e2a7b390dbde81894f73e379d
Here is also a very good solution https://github.com/kreuzwerker/awsu
Working with multiple mutli-account setups all of them with a separate idp using the same U2F with all of them would be a huge alleviation of toil for me. I would also have no issue to installing/compiling an additional dependency to get this in v1 as a preview.
Any movement on the issues on the aws side of things?
For what it's worth, aws-vault seems to be fairly close to merging in U2F support: https://github.com/99designs/aws-vault/pull/316
That said, I am absolutely in favor of adding native U2F support to the official AWS CLI tool.
For what it's worth, aws-vault seems to be fairly close to merging in U2F support: 99designs/aws-vault#316
No that's just creating TOTP tokens using the Yubikey. It's a workaround that allows you to use your Yubikey but it's not U2F.
(This is the same what awsu
does, it seems.)
The whole MFA in awscli
is a pain to setup and the lack of yubikey support does not help.
MFA in 2019 should be a must not a cutting edge feature.
Any progress on this?
just ran into this. Please remove support for Yubikey from the web console if you don't plan to support it in the cli. It's a huge time waster to have to google this stuff and find out AWS does not support what it advertises
Pretty ridiculous that this issue has been open for 440 days and not resolved yet.
CLI support would as previously stated highly appreciated
Hi, we would like to enforce MFA for all human users with https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html (for the lack of a better solution) but now it turns out we either have to:
a) give up on the idea altogether, or b) force everyone to downgrade from using U2F to TOTP.
The fact that IAM does not support multiple MFA devices is a bad joke too...
It's almost year 2020. Convenient and secure (read: U2F) MFA solution is a must, not a luxury in my opinion. Especially in areas where malicious actors can inflict serious financial damage.
AWS, please, please, please, get your act together and work on enhancing your MFA support throughout your ecosystem (CLI, mobile apps, AWS SSO - which does not support U2F too!)
The fact that IAM does not support multiple MFA devices is a bad joke too...
This is really embarrassing. Registering only one device is a really bad practice, so come on Amazon, fix this ASAP!
Pretty ridiculous that this issue has been open for 440 days and not resolved yet.
It's worse than that. In 2013 someone from Amazon wrote:
Unfortunately at this time it is only possible to have a single MFA per account. I have however raised this with our development team to be considered as a feature for future development. https://forums.aws.amazon.com/thread.jspa?threadID=137055
I would understand that the team might be busy or otherwise, but the fact that nobody even bothers to reply to this issue is what concerns me. This isn't some understaffed, underpaid open-source project where this can be excused but AWS itself.
491 days, let's open a champagne on 500! :champagne: :confetti_ball:
I assume the Amazon is really focused on the GOV projects where the $ is at. This thread is one example of why I usually don't recommend to anyone to use AWS. Sure, there was a time they were cutting edge, but nowadays.. it's just lacking basic features. I know it's out of topic but another example is Route 53 still doesn't support DNSSEC, so here you go. Oh yeah, and MFA should be called SFA because there's no "Multi" in the AWS implementation.
Sorry for the rant but most probably nobody watches this thread except for the security folks who actually want the feature. Just a couple of days till we reach 500 :) !
I would really like this to be added. I find cellphones hugely distracting and would rather not have to pull my phone out multiple times per hour when I'm interacting with AWS services.
This was updated a few days ago - https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
Does that help anyone?
Does that help anyone?
Sadly, no. IMHO that's another problem that AWS needs some complex scripts to use even the token code. I use the 3rd party aws-mfa
python script PyPi module to get around that.
But thank you for the thought @chris-bateman !
This was updated a few days ago - https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
There is an "Anything we could improve? Let us know" button at the bottom of that article which I will be sure to be pressing.
I did my part and left a comment in the "let us know part". I would also be very excited if this feature is implemented.
same thanks for posting @steinybot
Adding a sad comment that it is not implemented yet
Two year anniversary coming up in less than 2 months. It must be getting close now, right? Right?
Good news: if you don't use aws-vault, you should. They just introduced Yubikey support. If you have a yubikey that supports TOTP then you can add the MFA code inside. While the ideal would be to expect it from Amazon, we can all agree that they just don't care while Jeff is getting richer. It has great support for roles and such, part of me is sad that this is a 3rd party tool, but that's what i love about open source: you have options. link: https://github.com/99designs/aws-vault/blob/master/USAGE.md#using-a-yubikey
While aws-vault is great, it supports TOTP, not U2F.
after ages waiting for this I now use https://github.com/kreuzwerker/awsu
@nbraud it looks like the python interface they use doesn't provide linux wheels, so installing that would require that the user has a compiler installed. This isn't currently a requirement to install the cli, so adding that library would be a breaking change for many users.
While @jeffparsons pointed out some reasonable potential workarounds if you use one of the other larger libraries with more dependencies, I'll also point out that there is a smaller Python library that should be considered: pyu2f. It also relies on native USB HID libraries to communicate with U2F keys, but it only has one Python dependency: six
. It packs away its own ctypes
-based bindings to OS HID calls compatible with MacOS, Linux, and Windows and would likely cover "enough" use cases.
Do we have anyone working on this yet? Would the aws-cli
team accept a patch for any prototypes of this functionality?
EDIT: After reading more from the IAM user guide it looks like U2F is unsupported at the API level, so even if aws-cli
supported interactive U2F token authentication, it does not look like GetSessionToken
and AssumeRole
support this at this point (as quoted below):
It's important to understand the following aspects of MFA protection for API operations:
- MFA protection is available only with temporary security credentials, which must be obtained with AssumeRole or GetSessionToken.
- You cannot use MFA-protected API access with U2F security keys.
Also, regarding the social commentary from @kiwimato:
While the ideal would be to expect it from Amazon, we can all agree that they just don't care while Jeff is getting richer.
Please realize this is a software development thread, not a capitalism debate forum. AWS teams consist of genuine humans who have in my experience been quite responsive to fixing things in botocore
. If something is plaguing you, realize the open source nature of much of this means you can help contribute a fix or at least help brainstorm some options.
However, while the underlying AWS API itself does not seem to support anything beyond TOTP for MFA it looks like this problem may be a bigger issue than aws-cli
simply not supporting client functionality. Hopefully AWS can bump this ticket once the API supports U2F so we can get client support rolling.
At least a solution like this will help with context switching between your machine and your phone https://authy.com/
Is there any ETA on this? It's very concerning that apparently no one in the world is using good MFA practices for their AWS cli usage.
It's very concerning that apparently no one in the world is using good MFA practices for their AWS cli usage.
@james-callahan that's not true. We restrict access to roles to only those that have auth'd with MFA. E.g.:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub
- arn:aws:iam::${Account}:root
Action:
- sts:AssumeRole
Condition:
Bool:
aws:MultiFactorAuthPresent: 'true'
Then we use a tool called aws-mfa to manage obtaining temporary creds from STS and updating our AWS credentials files. There are other ways to manage interacting with STS for the same goal.
This ticket focuses on adding support specifically for U2F.
@james-callahan that's not true. We restrict access to roles to only those that have auth'd with MFA.
This only works with TOTP; which shouldn't be considered a high quality second factor due to ease of phishing TOTP credentials etc. This is made worse by the fact that AWS doesn't allow you to enrol both an U2F and a TOTP device to a single IAM user, so if you want to use U2F for UI access, you cannot use any MFA from the cli.
For those users that need it, we create two accounts:
Pretty hard to phish TOTP from a cli access only account.
@craighurley This looks a bit overkill for a workaround IMO. You have to maintain 2 accounts for security management of an AWS organisation just to have U2F on the console. I don't see it as a reasonable solution for any company who wants to use U2F.
Hi! Any news for supporting yubikeys on AWS CLI commands? Just impossible to have any kind of scripts running securely on my developers machines without that. Credentials as authentication method for physical machines is not exactly efficient and using TOTP is unpractical since we already use yubikeys.
@EmilioEduardo sadly no in the meantime I wrote a opensource tool to use my Yubikey at work, maybe this helps you: https://github.com/MartinWie/CredoPy
It is not exactly what you want but using ykman to grab the Token from the Yubikey is way more convenient than typing in the token manually. Hope this helps! :)
If you need help adapting it to your needs shoot me a message, same goes for feedback :D
One solution to support most U2F keys right now seems to be to use AWS SSO which now supports FIDO/WebAuthn tokens for both console logins AND CLI access. Most current U2F tokens support this but some older ones may not work. Note you need the latest version of the CLI and you have to run "aws configure sso" first time only from a console and it will pop out to a web browser to perform the MFA side of the authentication before returning to the console. It then applies temporary session based AWS credentials to any further aws cli actions. When the credentials expire you will be taken back to a browser to do another MFA authentication step when you do another aws cli command. https://aws.amazon.com/blogs/aws/multi-factor-authentication-with-webauthn-for-aws-sso/
Any Updates? @aws
to setup and the lack of yubikey support does not help. MFA in 2019 should be a must not a cutting edge feature.
Reading this in 2022 is even worse.
Dear aws, what the actual flower
is that telling about your approach on security?
Per the AWS blog U2F is now supported for Console login: https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/
It is especially critical there be a path to support this on the aws-cli so we can tap to perform commands instead of having long lived tokens on disk/memory.