dejwsz
commented
2 years ago I agree, U2F support should be added. Anything what can raise the level of security should be provided as built-in option.
Open lrvick opened 6 years ago
dejwsz
commented
2 years ago I agree, U2F support should be added. Anything what can raise the level of security should be provided as built-in option.
giphahne
commented
2 years ago @jamesls @kyleknap: any update on this? using U2F from the aws-cli would be immensely helpful
anderiv
commented
2 years ago As @MichaelWest22 mentioned above, awscli's support of SSO (or whatever the name du jour is these days) has more or less scratched this itch for me. I realize not every org has SSO deployed, though, so it's not a global solution. For those where SSO is an option, though, I would highly recommend it.
SSO ought to be a default these days instead of something one may accidentally stumble into after initially just using IAM users.
sc0ttdav3y
commented
2 years ago I just came here after upgrading to hardware MFA and finding I've broken my aws cli access.
I expect AWS to be at world best practice in terms of cloud security, but it's 2022 and I can't use hardware MFA with the CLI, and I can't register multiple devices per user.
And to make things worse, I come here to find a 4 year old issue 🤦🏻.
Constructively, I'd point out that the YubiKey registers itself as a keyboard, so it can supply its codes into the CLI quite easily. It's just the CLI itself that seems restrained to looking for 6 digit codes and not the longer strong of characters the key generates. Given the longer codes are supported by AWS elsewhere, it seems so simple to fix.
exussum12
commented
2 years ago I'd point out that the YubiKey registers itself as a keyboard, so it can supply its codes into the CLI quite easily. It's just the CLI itself that seems restrained to looking for 6 digit codes and not the longer strong of characters the key generates. Given the longer codes are supported by AWS elsewhere, it seems so simple to fix.
That code which happens when you press the button on a yubikey in a text editor, has nothing to do with with u2f.
A cli client does exist for u2f though so it's still possible .
The code which you are seeing is a yubico otp (https://docs.yubico.com/yesdk/users-manual/application-otp/yubico-otp.html) which is not as commonly supported over the internet
gwynnarth
commented
2 years ago My gut tells me that this will never be implemented in a way many people on this thread expect it to. Almost 3 years have passed since my original comment and right now my only gripe with AWS is that they won't state plainly that there is no intention on their end to fix this issue.
Since then, my organization has moved on to AWS SSO for all human users (renamed to IAM Identity Center now - which also kinda tells me that this is the path AWS wants everyone to take) which has a decent MFA support and works quite well with AWS CLI. This really does solve the original issue and I, personally, would be very much surprised to see ANY significant enhancements to the "original" IAM in scenarios where a human user is involved.
You may not like this suggestion (already voiced by @anderiv and @MichaelWest22 earlier) and continue to wait for this issue to be fixed, or you can get over the distaste AWS's lack of clear communication leaves and have a much better security posture right now. The choice is yours 😉
PS. I also recommend slapping an aws-vault in front for securing these short-term credentials.
sc0ttdav3y
commented
2 years ago Hey @gwynnarth, thanks for your comment. The take-away I'm most interested in hearing more about is that AWS SSO solves this for the CLI. I guess I'll need to dive into all their marketing guff that I've been avoiding reading due to info overload.
gwynnarth
commented
2 years ago Sure thing! As it was described in this comment: https://github.com/aws/aws-cli/issues/3607#issuecomment-834010077 when you configure your CLI to work with AWS SSO, it will pop up a browser window where you authenticate (in our case we're using SAML to integrate with GApps but you can use a built-in SSO identity store). That's where MFA "magic" happens. Modern browsers support U2F, so there's no problem with using a hardware security key + you can have multiple MFAs attached to a single SSO user, which is also a very important improvement over "plain" IAM users.
After authenticating you will be issued an SSO token (expires in something like 8 hours) that will later will be exchanged for short-lived IAM credentials for a particular SSO role that you're permitted to assume. These credentials can be used in actual API calls to AWS. Whenever the short-lived credentials expire the SDK will take care of renewing them automatically (I think). Whenever SSO token expires you will need to re-authenticate with AWS SSO, in turn.
Most apps work seamlessly with SSO nowadays since it's supported in AWS SDKs for various languages, but from time to time you still might run into something that simply expects to have a long-lived access keys in ~/.aws/credentials. For that you might rely on https://github.com/victorskl/yawsso, but remember that if you can make the app read the credentials from ENV variables, then you can make it work with https://github.com/99designs/aws-vault instead and have all your tokens and credentials stored in an encrypted keychain - and only surface them when they're actually needed - which is much more secure. Right now Cyberduck is the only piece of software I was unable to get to work with SSO. Even Serverless has a plugin that makes it work well with SSO: https://www.serverless.com/plugins/serverless-better-credentials
kabo
commented
2 years ago One can now configure multiple MFA devices, meaning at least you can use your FIDO key in the console and OTP with the CLI.
https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/
Endareth
commented
2 years ago Unfortunately not: "you can associate up to eight MFA devices of the currently supported types". Looks like you can't mix & match, got to be either a single Virtual TOTP, or up to eight FIDO2 devices. I mean, sure, it's an improvement, but only really helps people who never use the CLI. I could be wrong (not in a position to remove and re-add MFA without breaking stuff right now), anyone else able to test this quickly?
edit: So it looks like this only works when starting fresh with MFA. Can't seem to add extra MFA devices to an existing setup, but a new user allows adding a mix of device types… Still doesn't help with the CLI, but at least it's an improvement.
edit2: Guessing this is still being rolled out—the ability to add extra devices is sometimes visible currently, sometimes not. Reloading the page helped in a couple of cases, but not others… 🤷
Art3mK
commented
2 years ago yeah, works for me with existing user and OTP and adding two yubikeys as additional MFA devices
larstobi
commented
2 years ago I have registered both one TOTP and one Yubikey, and I can log in to Console using a choice of Yubikey or TOTP, and from the CLI I can still use my TOTP just fine.
amohar
commented
1 year ago Five years and nothing official on this? I mean, security is important, especially in the cloud, right?
dejwsz
commented
1 year ago If you use AWS IAM Identity Center then you can register now there yubikey and use that in CLI with "aws sso login" which gives you short lived credentials and it works OK. In other case I needed to register yubikey as TOTP in IAM and for command line client I used "aws-vault" tool as a helper to be able to use it properly. And it also worked for me quite good. But AWS CLI itself still does not support it natively.
exussum12
commented
1 year ago But AWS CLI itself still does not support it natively.
It does. You need the arn of the device and add this to your config
mfa_serial=arn:aws:iam::{ID}:mfa/{WhateverItsNameIs}
$ aws sts get-caller-identity Enter MFA code for arn:aws:iam::{ID}:mfa/{WhateverItsNameIs}:
Is then prompted
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
Search for MFA there
dejwsz
commented
1 year ago yes, I know - but it is not ideal though, I have it too in my config of course
MartinLoeper
commented
1 year ago Got a fresh new Yubikey Bio ready just to find, there is no direct support in tooling like AWS CLI. Classic.
steinybot
commented
1 year ago Don't worry folks, at AWS, security is their top priority.
Strong security at the core of an organization enables digital transformation and innovation. AWS helps organizations to develop and evolve security, identity, and compliance into key business enablers. At AWS, security is our top priority.
alexw23
commented
1 year ago Have been using SSO lately for CLI and haven't looked back, use with aws-vault to keep a short lived session. No point waiting for AWS to do something that is most likely never going to happen.
sharpone74
commented
1 month ago How is AWS a multi billion dollar company and this issue still exists from 2018. These keys are friggin everywhere now.
anderiv
commented
1 month ago How is AWS a multi billion dollar company and this issue still exists from 2018. These keys are friggin everywhere now.
The answer now, in 2024 is:
Use IAM Identity Center. Then you can use whatever factors you need, with full support in the CLI tools.
Per the AWS blog U2F is now supported for Console login: https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/
It is especially critical there be a path to support this on the aws-cli so we can tap to perform commands instead of having long lived tokens on disk/memory.