Open asaunders-allyDVM opened 5 years ago
Maybe I am doing something incorrectly here, however I cannot get an echo of the password to work with STDIN and MFA.
I also don't know how to add the BUG and HELP WANTED Labels.
I wouldn't expect that the STDIN redirection will work with the MFA as that value will need to change for every invocation.
If you don't want to enter the password have a look at the -k
option that will store the password in a local secure store so all you have to enter is the MFA token.
I'm not sure if this is a BUG as the error is stating the truth - there is no data available on STDIN for the MFA token read.
I am not trying to fill the MFA token with STDIN, I’m trying to fill the password and the get prompted for the MFA token. But something on the MFA portion of the code is broken when you use the STDIN functionality.
The solution I use (replace the 0's with the ID of your lastpass entry),
~/bin/start-aws
#!/usr/bin/expect -f
set pw [exec lpass show --password 000000000]
spawn aws-google-auth --save-failure-html
expect "Google Password:"
send "$pw\r"
expect "MFA token:"
interact
Improved Script Above ^^^, if you have multiple IAM roles to choose from. The script also supports user input durations.
#!/usr/bin/expect -f
proc duration { {d 3600} } {
variable ::dur $d
}
duration {*}$argv
set test 0
set timeout 2
proc login {} {
set pw [exec lpass show --password "XXXXXXXXX"]
expect "Google Password:" { send "$pw\r" }
expect "MFA token:" { interact }
}
spawn aws-google-auth --save-failure-html -a -d $dur
expect {
"\[ \1\] *" { interact
set test 1 }
}
if { $test == 0 } { login }
The same happens with SMS 2FA authentication
pass user.name@acme.com | aws-google-auth -u user.name@acme.com
Google Password:
Enter SMS token: G-ERROR:root:EOF when reading a line
Traceback (most recent call last):
File "/home/vagrant/ansibleenv/ansible287/lib/python3.6/site-packages/aws_google_auth/__init__.py", line 73, in cli
process_auth(args, config)
File "/home/vagrant/ansibleenv/ansible287/lib/python3.6/site-packages/aws_google_auth/__init__.py", line 218, in process_auth
google_client.do_login()
File "/home/vagrant/ansibleenv/ansible287/lib/python3.6/site-packages/aws_google_auth/google.py", line 300, in do_login
sess = self.handle_sms(sess)
File "/home/vagrant/ansibleenv/ansible287/lib/python3.6/site-packages/aws_google_auth/google.py", line 496, in handle_sms
sms_token = input("Enter SMS token: G-") or None
EOFError: EOF when reading a line
As a work around I am using build in --keyring
option but reading a password from stdin and recognizing 2FA wait for input would be my preference.
the only MFA option i have configured is U2F, so is there any provision for me to default to a particular MFA method?
running
lpass show --password Google
returns just the password as a string of characters. runningaws-google-auth --no-cache
allows me to type in my password and then MFA token runninglpass show --password Google | aws-google-auth --no-cache
results in the errors below.Running the command with the --save-failure-html option does not generate HTML pages that I have been able to locate.