search

awslabs / aws-shell

An integrated shell for working with the AWS CLI.
Apache License 2.0
7.15k stars 770 forks source link

Can't authenticate with MFA #168

Closed alexconlin closed 6 years ago

alexconlin commented 7 years ago

i am using an authentication profile that requires an MFA token. When i open aws-shell and type kinesis get-shard-iterator --stream-name it prints Enter MFA code: in the command line but when I enter it nothing happens. If I then try to use the aws-shell it displays an exception and then runs really slowly and I have to quit it.

donnemartin commented 7 years ago

Hi @alexconlin, can you post the exception you get in the aws-shell?

Can you also try the same steps using the awscli and check if the problem exists there?

alexconlin commented 7 years ago

Hi here's the exception:

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument --stream-name: expected one argument

aws> Exception in thread Thread-63:
Traceback (most recent call last):
  File "/usr/local/Cellar/python3/3.5.1/Frameworks/Python.framework/Versions/3.5/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "/usr/local/Cellar/python3/3.5.1/Frameworks/Python.framework/Versions/3.5/lib/python3.5/threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/lib/python3.5/site-packages/prompt_toolkit/interface.py", line 840, in run
    completions = list(buffer.completer.get_completions(document, complete_event))
  File "/usr/local/lib/python3.5/site-packages/awsshell/shellcomplete.py", line 135, in get_completions
    .retrieve_candidate_values(service, operation, param)
  File "/usr/local/lib/python3.5/site-packages/awsshell/resource/index.py", line 223, in retrieve_candidate_values
    client = self._client_creator.create_client(service)
  File "/usr/local/lib/python3.5/site-packages/awsshell/resource/index.py", line 149, in create_client
    client = self._session.create_client(service_name)
  File "/usr/local/lib/python3.5/site-packages/botocore/session.py", line 819, in create_client
    credentials = self.get_credentials()
  File "/usr/local/lib/python3.5/site-packages/botocore/session.py", line 443, in get_credentials
    'credential_provider').load_credentials()
  File "/usr/local/lib/python3.5/site-packages/botocore/credentials.py", line 1083, in load_credentials
    creds = provider.load()
  File "/usr/local/lib/python3.5/site-packages/botocore/credentials.py", line 796, in load
    return self._load_creds_via_assume_role()
  File "/usr/local/lib/python3.5/site-packages/botocore/credentials.py", line 815, in _load_creds_via_assume_role
    creds, response = self._retrieve_temp_credentials()
  File "/usr/local/lib/python3.5/site-packages/botocore/credentials.py", line 924, in _retrieve_temp_credentials
    response = client.assume_role(**assume_role_kwargs)
  File "/usr/local/lib/python3.5/site-packages/botocore/client.py", line 251, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.5/site-packages/botocore/client.py", line 537, in _make_api_call
    raise ClientError(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the AssumeRole operation: 2 validation errors detected: Value '�[200~587777�[201~' at 'tokenCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [\d]*; Valu6

The problem doesn't exist in awscli.

donnemartin commented 7 years ago

Thanks for the additional info Alex. This should be helpful when we get a chance to dig in further.

rickard-von-essen-iz commented 7 years ago

This did work much better for me when running from master b9975fa9f0bbb92309879f4417ec87ee23f03846 instead of using the 0.1.1 from Homebrew.

gene1wood commented 6 years ago

I've also encountered this with boto3 though I'm unclear on what's causing it. In adding debug lines to botocore what I'm seeing is if I print the contents of the token_code immediately after the prompter gathers it from the user it is not the number typed in but instead a string containing high ascii characters. I've confirmed when this happens the prompter is getpass.unix_getpass. If I then go and try to reproduce this in the python REPL in the same virtualenv it works fine. I get this on an old version of botocore (1.5.16) and I think this works in current versions of botocore. It might relate to the relationship between the current boto3 and old botocore, as using this old botocore (with old boto3) previously did not cause this.

Anyhow, I'm just going to upgrade botocore and I think that will resolve this for me.

joguSD commented 6 years ago

@gene1wood Did updating botocore alleviate this issue you for you? Seeing as the shell just delegates to the cli it's unlikely the issue is at the shell level.

gene1wood commented 6 years ago

@joguSD I've not seen it in newer versions of botocore but I've not been trying to reproduce it so I don't know.

joguSD commented 6 years ago

@gene1wood Thanks for the update. I'll leave this open here for a little while longer and see if any others have this issue.