Closed axelforsberg closed 6 years ago
Would you like to give this a shot? I don't have a way to test for this case, so I can't really fix it, but here is a rough idea where the fix should go:
I reckon the role should be assumed somewhere after the profile setting line, in a similar fashion: https://github.com/claudiajs/claudia/blob/393c8ed98ad14df8d7ae578ca84c234c9b46b23f/bin/cmd.js#L50
based on this example, the code should be something like:
if (args['sts-role-arn'] && args['mfa-serial'] && args['mfa-token']) {
AWS.config.credentials = new AWS.TemporaryCredentials({
RoleArn: args['sts-role-arn'],
SerialNumber: args['mfa-serial'],
TokenCode: args['mfa-token']
});
you should then be able to supply the options as --sts-role-arn <ROLE ARN> --mfa-serial <SERIAL> --mfa-token <TOKEN>
from the command line
It's a bit worrying that there's also an outstanding issue in the aws-js-sdk complaining about STS not being supported (https://github.com/aws/aws-sdk-js/issues/1543), so this might not work, but if you make it work, please submit a pull request and I'll merge it.
alternatively, there are several ways to assume a role from the console before executing the claudia command, which will set up the env variables with your temporary credentials. (eg, check out https://www.npmjs.com/package/assume-aws-role)
I will try make it work based on your code. Thanks!
Regarding the alternative way: The assume-aws-role package did not work as expected but complained about missing credentials. I guess the package depends on setting the master account as the default credentials (which I don't want to :)). But I found another one: https://github.com/remind101/assume-role which worked with the same roles I already setup for git/codecommit. Here I can run (On a Windows machine): assume-role SubAccount | Invoke-Expression claudia update --config subacc.claudia.json and then switch account/deploytarget effortlessly with: assume-role SubAccount2 | Invoke-Expression claudia update --config anotheracc.claudia.json
This "workaround" is definitely good enough for me, but I will try to see if I can replicate what assume-aws-role does directly in claudia/bin/cmd.js based on your code and the AWS SDK.
thanks. i'll close this issue for now then. if you end up fixing the code, please submit a pull request
When trying to create/update a lambda function with claudia.js using a assumed role and with MFA enabled it fails.
Example config for the accounts: [MasterAccount] aws_access_key_id = [ACCESS_KEY_ID] aws_secret_access_key = [SECRET_ACCESS_KEY]
[SubAccount] role_arn = arn:aws:iam::[SUB_ACCOUNT_ID]:role/[ROLE_NAME] source_profile = MasterAccount mfa_serial = arn:aws:iam::[MASTER_ACCOUNT_ID]:mfa/[LOGIN_NAME]
This setup works perfectly for AWS CLI and GIT interaction with CodeCommit.
Expected behaviour: You should be prompted to enter a MFA code and then the lambda code should be updated.
What actually happens: Error Message (Shorted and anonymized): λ claudia update --profile SubAccount --config dev.claudia.json loading Lambda config lambda.setupRequestListeners { CredentialsError: Missing credentials in config at Request.extractError (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\protocol\query.js:47:29) at Request.callListeners (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\sequential_executor.js:105:20) at Request.emit (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\sequential_executor.js:77:10) at Request.emit (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\request.js:683:14) at Request.transition (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\request.js:22:10) at AcceptorStateMachine.runTo (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\state_machine.js:14:12) at ...\npm\node_modules\claudia\node_modules\aws-sdk\lib\state_machine.js:26:10 at Request. (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\request.js:38:9)
at Request. (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\request.js:685:12)
at Request.callListeners (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\sequential_executor.js:115:18)
message: 'Missing credentials in config',
code: 'CredentialsError'
...
originalError:
{ message: 'Could not load credentials from SharedIniFileCredentials',
code: 'CredentialsError',
...
originalError:
{ message: 'User: arn:aws:iam::[MASTER_ACCOUNT_ID]:user/[USER_NAME] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[SUB_ACCOUNT_ID]:role/[ROLE_NAME]',
code: 'AccessDenied',
...
}
}
}
Steps to reproduce the problem: Setup a user with MFA that assumes a role in another account, config your credentials and then try to create a lambda function with claudia.js with that accounts credentials.