MFA doesn't work as expected (fails or needs to be supplied every time)

[benbridts]

I would like to use aws-shell, but we use roles with MFA authentication for all profiles. This breaks the commands that query aws and make other commands tedious to use.

my .aws/config file

[profile root]
output = json
region = eu-west-1

[profile account]
source_profile = root
role_arn = arn:aws:iam::ACCOUNT_ID:role/admin_role
mfa_serial = arn:aws:iam::ROOT_ACCOUNT_ID:mfa/ben
output = json
region = eu-west-1

.aws/credentials has the credentials for the root profile.

What happens (1): MFA is asked twice

$ aws-shell --profile account
aws> elasticbeanstalk list-available-solution-stacks
Enter MFA Code:
{} // Output skipped
aws> elasticbeanstalk list-available-solution-stacks
Enter MFA Code:
{} // Output skipped

What I expect to happen (1): MFA is asked once

$ aws-shell --profile account
aws> elasticbeanstalk list-available-solution-stacks
Enter MFA Code:
{} // Output skipped
aws> elasticbeanstalk list-available-solution-stacks
{} // Output skipped

What happens (2): Querying fails:

aws> ec2 start-instances --instance-ids 
Enter MFA code:

Parameter validation failed:
Invalid length for parameter TokenCode, value: 0, valid range: 6-6

I think this may be okay if it wouldn't ask for MFA and wait with querying until you have authenticated.

What happens (3): Querying fails even after using MFA once

elasticbeanstalk list-available-solution-stacks
Enter MFA Code:
{} // Output skipped
aws> ec2 start-instances --instance-ids 
Enter MFA code:

Parameter validation failed:
Invalid length for parameter TokenCode, value: 0, valid range: 6-6

[jamesls]

I'm surprised that MFA is being asked twice when invoking multiple commands. That should be cached by the CLI.

For the second issue, because we're using boto3 to do server side completion which is separate from the CLI commands being run, I can see how we would ask for the MFA code twice. This is not ideal.

I'd like to improve this. Thanks for the feedback.

[benbridts]

It looks like there was something wrong with my aws cli.

After clearing .aws/cli/cache/ multiple commands work. I do not know how this got corrupted.

The second case still fails.

$ rm  .aws/cli/cache/*
$ aws-shell --profile account
aws> elasticbeanstalk describe-configuration-settings --application-name app --environment-name env
Enter MFA Code:
{} // output skipped
aws> elasticbeanstalk describe-configuration-settings --application-name app --environment-name env
{} // output skipped
aws> ec2 start-instances --instance-ids Enter MFA code: // hangs after supplying code, I have to hit enter twice
aws> ec2 start-instances --instance-ids

A client error (InvalidParameterCombination) occurred when calling the StartInstances operation: No instances specified
aws> elasticbeanstalk describe-configuration-settings --application-name app --environment-name env
{} // output skipped

Kind regards, Ben

[rickjuryxero]

Hi,

I think this bug that you keep getting prompted repeatedly when using MFA makes it unusable for sites like ours where we use MFA for all our accounts. Is there a way to toggle the server side completion? If I could just toggle it off that would be a workaround. I think that would be a good feature also for the use case where you have high latency to the aws region. Say if you are in Asia Pacific and using a US region (which we do!) latency is > 200ms.

[benbridts]

Yes, disabling the completion would make aws-shell useable. At this point it's easier to not use it at all.

[Kittzus]

Is there any plan to resolve this? aws-shell is absolutely awesome, but this bug makes it almost useless for my day-to-day activities administering a multi-account environment where I'm constantly role switching and all roles have an MFA requirement.

If this isn't possible to solve, would it be plausible to have a toggle for the server-side autocomplete functionality, or perhaps auto-disable those calls to boto3 if the current profile is MFA protected?