Open jelford opened 2 years ago
Thanks for submitting this well thought-out request/proposal! If you're interested in writing up an RFC or submitting a PR, we'd welcome it.
I think that adding a trait for MfaTokenProvider
and the relevant config setters could be a small and quick update. With regards to implementing an MfaTokenProvider
that receives input thru StdIn: I'd like to see an RFC on this that collects a bit of info on how other SDKs implemented this feature and what their user experience is like.
Sure, sounds sensible, and thanks for the quick response - I've actually started on a little PR so I'll post something on that probably later this week, covering the new trait / config setters.
I'm happy to put together an RFC - is there some documentation around the typical shape of these / what to expect to include? Sorry if I've missed it - I did a quick scan through CONTRIBUTING
and the discussions here on GH and didn't see much prior art. No worries if not.
On the piont about other SDKs, so far I have been looking only at boto3
, which has the behaviour I describe in OP - is there a sensible group, e.g. "boto + java", that taken together make for a reasonably canonical sample?
Sure, sounds sensible, and thanks for the quick response - I've actually started on a little PR so I'll post something on that probably later this week, covering the new trait / config setters.
I can't wait to see it
I'm happy to put together an RFC - is there some documentation around the typical shape of these / what to expect to include? Sorry if I've missed it - I did a quick scan through CONTRIBUTING and the discussions here on GH and didn't see much prior art. No worries if not.
We don't have a guide for writing RFCs but you can take a look at past ones here. In my opinion a good RFC will state the customer need, define terms, show what the user experience will look like for the new feature, and then dive into the implementation of the feature. We usually include a checklist at the end that summarizes what will be implemented.
On the point about other SDKs, so far I have been looking only at boto3, which has the behavior I describe in OP - is there a sensible group, e.g. "boto3 + java", that taken together make for a reasonably canonical sample?
The CLI/boto3 is generally our gold standard. We also often look to the Java, Javascript, Go, and Kotlin SDKs. The goal is that features should be relatively consistent across SDKs. Unsurprising code is easier to use and reason about.
Sounds good, thanks!
I've put up a preliminary PR for this: https://github.com/awslabs/smithy-rs/pull/1359 A few outstanding questions around the implementation, but as you said, not too big.
Describe the feature
Currently, the SDK regognizes the
role_arn
directive in profiles under the normal config file at~/.aws/config
. When sending a request, it will correctly attempt to assume the specified role. However, if that role requires an MFA token, the SDK will not request an MFA token from the user, and will fail to assume the role.The feature request is to add support for MFA tokens, analogous to support in
boto3
for the same.Use Case
I use an IAM with limited permissions, which assumes a more privileged role, protected by MFA. The idea is to avoid having long-lived credentials present on my development laptop for a privileged account. When using the AWS CLI, or
boto3
in a python script (run from a tty), I am prompted for my MFA key when first authenticating. I'd like to use the same workflow for programmes written against the Rust SDK.To give a complete picture, my
~/.aws/config
looks something like this (with long term credentials for thehome
profile in~/.aws/credentials
):Proposed Solution
To fit with the "Batteries included, but replaceable" design tenet, I think it would make sense to include:
The general idea is to:
mfa_serial
from profile config when present, ontoaws_config::profile::credentials::repr::RoleArn
ProvideMfaToken
that can provide mfa tokens when required inaws_config::profile::credentials::exec::AssumeRoleProvider::credentials
ProvideMfaToken
used by default when stdin is a tty, that sources MFA tokens from stdinaws_config::default_provider::credentials::Builder
to pass in a customProvideMfaToken
I'd propose usage looks a bit like this (using my "home" profile name from above), first for the default case:
And for customizing the
ProvideMfaTokenImplementation
(assuming afuture::ProvideMfaToken
analogous tofuture::ProvideCredentials
):Other Information
For completeness, here's the detail from tracing when trying to use the profile above with an MFA token, following the proposed "default" code:
Acknowledgements
A note for the community
Community Note