search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.48k stars 4.11k forks source link

ssm start-session with -profile doens't ask for MFA #6218

Open daknhh opened 3 years ago

daknhh commented 3 years ago

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug When invoke aws start-session with profile which needs MFA the following error occur:

----------ERROR------- Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: error while creating new KMS service, Error creating new aws sdk session AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

SDK version number aws-cli/2.0.61 Python/3.7.4 Darwin/20.5.0 exe/x86_64

Platform/OS/Hardware/Device MacOS Big Sur 11.4

To Reproduce (observed behavior) Invoke aws ssm start-session --target xxx --profile xxx with a profile which has MFA configured

Expected behavior When invoking aws ssm start-session --target xxx --profile xxx with a profile which has MFA configured - the cli should ask for MFA.

Logs/output 2021-06-11 09:39:23,954 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.0.61 Python/3.7.4 Darwin/20.5.0 exe/x86_64 2021-06-11 09:39:23,954 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['ssm', 'start-session', '--target', 'i-0d30dfbbbe23dd2a8', '--profile', '', '--debug'] 2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7f8af88c28c0> 2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f8ac8898ef0> 2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7f8af890f4d0> 2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7f8ac8818200> 2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f8ac88cff80> 2021-06-11 09:39:23,955 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/ 2021-06-11 09:39:23,960 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set. 2021-06-11 09:39:23,961 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f8af87709e0> 2021-06-11 09:39:23,961 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7f8af8714710> 2021-06-11 09:39:23,979 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/ssm/2014-11-06/service-2.json 2021-06-11 09:39:23,998 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ssm: calling handler <function add_custom_start_session at 0x7f8af88e2050> 2021-06-11 09:39:23,998 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ssm: calling handler <function add_waiters at 0x7f8af88d1560> 2021-06-11 09:39:24,017 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/ssm/2014-11-06/waiters-2.json 2021-06-11 09:39:24,017 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('target', <awscli.arguments.CLIArgument object at 0x7f8ad047b690>), ('document-name', <awscli.arguments.CLIArgument object at 0x7f8ad047b9d0>), ('parameters', <awscli.arguments.CLIArgument object at 0x7f8ad047b950>)]) 2021-06-11 09:39:24,017 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_streaming_output_arg at 0x7f8af88c4a70> 2021-06-11 09:39:24,017 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_cli_input_json at 0x7f8ac88d49e0> 2021-06-11 09:39:24,018 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_cli_input_yaml at 0x7f8ac88d4c20> 2021-06-11 09:39:24,018 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function unify_paging_params at 0x7f8af872dcb0> 2021-06-11 09:39:24,037 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/ssm/2014-11-06/paginators-1.json 2021-06-11 09:39:24,037 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_generate_skeleton at 0x7f8af88239e0> 2021-06-11 09:39:24,037 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_auto_prompt at 0x7f8af890d680> 2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ssm.start-session: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7f8ad047ba90>> 2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ssm.start-session: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7f8ad0458610>> 2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ssm.start-session: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f8ad0487cd0>> 2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ssm.start-session: calling handler <bound method AutoPromptArgument.override_required_args of <awscli.customizations.autoprompt.AutoPromptArgument object at 0x7f8ad048dc50>> 2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.target: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0> 2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.ssm.start-session: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f8ac8891d10> 2021-06-11 09:39:24,039 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'i-0d30dfbbbe23dd2a8' for parameter "target": 'i-0d30dfbbbe23dd2a8' 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.document-name: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.parameters: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.cli-input-yaml: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.cli-auto-prompt: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event calling-command.ssm.start-session: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7f8ad047ba90>> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event calling-command.ssm.start-session: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7f8ad0458610>> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event calling-command.ssm.start-session: calling handler <bound method GenerateCliSkeletonArgument.generate_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f8ad0487cd0>> 2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event calling-command.ssm.start-session: calling handler <bound method AutoPromptArgument.auto_prompt_arguments of <awscli.customizations.autoprompt.AutoPromptArgument object at 0x7f8ad048dc50>> 2021-06-11 09:39:24,039 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role 2021-06-11 09:39:24,039 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity 2021-06-11 09:39:24,040 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso 2021-06-11 09:39:24,040 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file 2021-06-11 09:39:24,042 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials 2021-06-11 09:39:24,042 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/endpoints.json 2021-06-11 09:39:24,048 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f8ac8386560> 2021-06-11 09:39:24,051 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.ssm: calling handler <function add_generate_presigned_url at 0x7f8ac8312c20> 2021-06-11 09:39:24,078 - MainThread - botocore.endpoint - DEBUG - Setting ssm timeout as (60, 60) 2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.ssm.StartSession: calling handler <function base64_decode_input_blobs at 0x7f8af890f560> 2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.ssm.StartSession: calling handler <function generate_idempotent_uuid at 0x7f8ac838d200> 2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event before-call.ssm.StartSession: calling handler <function inject_api_version_header_if_needed at 0x7f8ac8391a70> 2021-06-11 09:39:24,079 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=StartSession) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'X-Amz-Target': 'AmazonSSM.StartSession', 'Content-Type': 'application/x-amz-json-1.1', 'User-Agent': 'aws-cli/2.0.61 Python/3.7.4 Darwin/20.5.0 exe/x86_64 command/ssm.start-session'}, 'body': b'{"Target": "i-0d30dfbbbe23dd2a8"}', 'url': 'https://ssm.eu-central-1.amazonaws.com/', 'context': {'client_region': 'eu-central-1', 'client_config': <botocore.config.Config object at 0x7f8ab8147d90>, 'has_streaming_input': False, 'auth_type': None}} 2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event request-created.ssm.StartSession: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f8ab8147c50>> 2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event choose-signer.ssm.StartSession: calling handler <function set_operation_specific_signer at 0x7f8ac8381290> 2021-06-11 09:39:24,080 - MainThread - botocore.credentials - DEBUG - Credentials for role retrieved from cache. 2021-06-11 09:39:24,081 - MainThread - botocore.credentials - DEBUG - Retrieved credentials will expire at: 2021-06-11 08:09:03+00:00 2021-06-11 09:39:24,081 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth. 2021-06-11 09:39:24,081 - MainThread - botocore.auth - DEBUG - CanonicalRequest: POST /

content-type:application/x-amz-json-1.1 host:ssm.eu-central-1.amazonaws.com x-amz-date:20210611T073924Z x-amz-security-token:IQoJb3JpZ2luX2VjEP///////////wEaDGV1LWNlbnRyYWwtMSJGMEQCIH9AajDr9UhCnOWksDEkZn+IjM9ON1yp68fnHzdwDq7VAiAS+FqhVTqCPlIi5zyQ1Hpw+nRUdW53Tm5oSvoZgrlhZSqxAgi4//////////8BEAEaDDQyNTg2NjQxMTY0MCIMYb92ERRZ0rIek0mGKoUClfNlMdPPwRAgcNPwMsFCoTFuFFueKDKEzfOEeC2AyQ79lKwLR3IBF72coU9lKHVX5n2xcXsjGUsrdhoTJyY4vjhmCq6FsQeX+9OozvkDUYW+kt7OfUHwn0CWgRomqo3UesHjGMkGSJ+6rFaIc8uQ94r/xoBuqWGuf4L+LOy5x83tOfmnN47+S4hqsarZz39EgButLFocVPuqFRlSp4D+KTl0JyvzxlS7SZvxnXUtjwA5r8+bmeGvx+Adq0X8XXlrZ9UDE+09RNzP65lLu65CPBJwba80B/nG+u7mX1b1e/CZacdE1l7UXWPxfaVhYECzFiyK0TlN4k/CBEpWIlbLgViXlZyzMI+YjIYGOp4BL0G5wSZYzsXF0BUQ8v8/gVNoCxKQsjcJ/Dq79pUY93T0y281M/F/U5lZr2Q/HuJ5IHKLocJL7GERS8+HO4IOPvXLRjABIU32bfvTP793Gvh4RXgxV7jB4DFf7aUEMfeJ1McHIjwQdlBmKXRmem/thoxv8q3FH+hFCVpOV5IYJtllGR3Z4IGGwZhqoKHcR+SpmVxZGjJTBJY9GgGWTlE= x-amz-target:AmazonSSM.StartSession

content-type;host;x-amz-date;x-amz-security-token;x-amz-target f079276a5befeb78b7ec122fdbf1d6ffa4f34baac7926520fd8f222d3b461724 2021-06-11 09:39:24,081 - MainThread - botocore.auth - DEBUG - StringToSign: AWS4-HMAC-SHA256 20210611T073924Z 20210611/eu-central-1/ssm/aws4_request 59e63d91428728ac2d943df17eacd5813d8926b622214db2fca8c685ed06ba60 2021-06-11 09:39:24,081 - MainThread - botocore.auth - DEBUG - Signature: e777dcfe08b09643af02345b2ae8499c079feeab78e3bc287291a49115344d3c 2021-06-11 09:39:24,082 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://ssm.eu-central-1.amazonaws.com/, headers={'X-Amz-Target': b'AmazonSSM.StartSession', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'aws-cli/2.0.61 Python/3.7.4 Darwin/20.5.0 exe/x86_64 command/ssm.start-session', 'X-Amz-Date': b'20210611T073924Z', 'X-Amz-Security-Token': b'IQoJb3JpZ2luX2VjEP///////////wEaDGV1LWNlbnRyYWwtMSJGMEQCIH9AajDr9UhCnOWksDEkZn+IjM9ON1yp68fnHzdwDq7VAiAS+FqhVTqCPlIi5zyQ1Hpw+nRUdW53Tm5oSvoZgrlhZSqxAgi4//////////8BEAEaDDQyNTg2NjQxMTY0MCIMYb92ERRZ0rIek0mGKoUClfNlMdPPwRAgcNPwMsFCoTFuFFueKDKEzfOEeC2AyQ79lKwLR3IBF72coU9lKHVX5n2xcXsjGUsrdhoTJyY4vjhmCq6FsQeX+9OozvkDUYW+kt7OfUHwn0CWgRomqo3UesHjGMkGSJ+6rFaIc8uQ94r/xoBuqWGuf4L+LOy5x83tOfmnN47+S4hqsarZz39EgButLFocVPuqFRlSp4D+KTl0JyvzxlS7SZvxnXUtjwA5r8+bmeGvx+Adq0X8XXlrZ9UDE+09RNzP65lLu65CPBJwba80B/nG+u7mX1b1e/CZacdE1l7UXWPxfaVhYECzFiyK0TlN4k/CBEpWIlbLgViXlZyzMI+YjIYGOp4BL0G5wSZYzsXF0BUQ8v8/gVNoCxKQsjcJ/Dq79pUY93T0y281M/F/U5lZr2Q/HuJ5IHKLocJL7GERS8+HO4IOPvXLRjABIU32bfvTP793Gvh4RXgxV7jB4DFf7aUEMfeJ1McHIjwQdlBmKXRmem/thoxv8q3FH+hFCVpOV5IYJtllGR3Z4IGGwZhqoKHcR+SpmVxZGjJTBJY9GgGWTlE=', 'Authorization': b'AWS4-HMAC-SHA256 Credential=ASIAWGJ45XZ4ABE5JLAS/20210611/eu-central-1/ssm/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=e777dcfe08b09643af02345b2ae8499c079feeab78e3bc287291a49115344d3c', 'Content-Length': '33'}> 2021-06-11 09:39:24,082 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): ssm.eu-central-1.amazonaws.com:443 2021-06-11 09:39:24,265 - MainThread - urllib3.connectionpool - DEBUG - https://ssm.eu-central-1.amazonaws.com:443 "POST / HTTP/1.1" 200 709 2021-06-11 09:39:24,265 - MainThread - botocore.parsers - DEBUG - Response headers: {'Server': 'Server', 'Date': 'Fri, 11 Jun 2021 07:39:24 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '709', 'Connection': 'keep-alive', 'x-amzn-RequestId': '0f2f95cc-5bff-4f13-b787-7e74b0ccdfb4'} 2021-06-11 09:39:24,266 - MainThread - botocore.parsers - DEBUG - Response body: b'{"SessionId":"botocore-session-1623395335-02005be411911dee8","StreamUrl":"wss://ssmmessages.eu-central-1.amazonaws.com/v1/data-channel/botocore-session-1623395335-02005be411911dee8?role=publish_subscribe","TokenValue":"AAEAAYTRawIEEiBMt1E8pxidhFV94kZiUMRr18tDEcnRIlRcAAAAAGDDEyz1RaAGAxztDpsdE1P+hhuUqv4MlRa3wwCNxewi5YeL5RY+anAjjMOiReb29dI0oMfjHLn7hNlmN4AcweRu6Pcdi3UozHZc8FA3jNT+PxsWzIAwLcG7wBDWE6Zl+ryeX3p6KQNb9pgYG7lkubL8LVeIeVxdQz1ND5IdchD4KTSuO4gggqN9Q1Pi3Cts+n9qIkjC5jnFqghZhHhzvtEGxromqJGQ9sm4esHqVqXGG2Y0J0AP3eupjm4jD7o15duvuyxDzY9CAUsWVymEqvTbm4K+pCVhfN0SKXYYxxUHfmClKaTdXZfgZ8trnQ7gaaLVGTFsmLRo3atPvuR4CxbmyfrP7+qpVm+W7uLnjaaxlGrNJfu9BxaRq3yubxRM3VJM7Q6pr5xXsJFnec2xkZGfhhIKhqouWrQvdDDmQkRFObSHWA=="}' 2021-06-11 09:39:24,266 - MainThread - botocore.hooks - DEBUG - Event needs-retry.ssm.StartSession: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7f8ab8196650>> 2021-06-11 09:39:24,266 - MainThread - botocore.retries.standard - DEBUG - Not retrying request. 2021-06-11 09:39:24,266 - MainThread - botocore.hooks - DEBUG - Event after-call.ssm.StartSession: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7f8ab81960d0>>

Starting session with SessionId: botocore-session-1623395335-02005be411911dee8

SessionId: botocore-session-1623395335-02005be411911dee8 : ----------ERROR------- Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: error while creating new KMS service, Error creating new aws sdk session AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

kirnberger1980 commented 3 years ago

We are also facing the issue. Please fix it.

daknhh commented 3 years ago

Workaround - use awsume bevor invoke aws ssm start-session ;)

goyertp commented 3 years ago

Same issue here. Workaround: awsume solves this problem.

kdaily commented 3 years ago

Hi @daknhh,

Thanks for the report. I'll look into it some more, but it looks like this is not currently supported by the CLI customization for the Session Manager.

daknhh commented 3 years ago

Hi @kdaily - thanks for taking care of it. I hope this feature will be released soon.