gojko
commented
6 years ago Would you like to give this a shot? I don't have a way to test for this case, so I can't really fix it, but here is a rough idea where the fix should go:
-
I reckon the role should be assumed somewhere after the profile setting line, in a similar fashion: https://github.com/claudiajs/claudia/blob/393c8ed98ad14df8d7ae578ca84c234c9b46b23f/bin/cmd.js#L50
-
based on this example, the code should be something like:
if (args['sts-role-arn'] && args['mfa-serial'] && args['mfa-token']) { AWS.config.credentials = new AWS.TemporaryCredentials({ RoleArn: args['sts-role-arn'], SerialNumber: args['mfa-serial'], TokenCode: args['mfa-token'] }); -
you should then be able to supply the options as
--sts-role-arn <ROLE ARN> --mfa-serial <SERIAL> --mfa-token <TOKEN>from the command line
It's a bit worrying that there's also an outstanding issue in the aws-js-sdk complaining about STS not being supported (https://github.com/aws/aws-sdk-js/issues/1543), so this might not work, but if you make it work, please submit a pull request and I'll merge it.
alternatively, there are several ways to assume a role from the console before executing the claudia command, which will set up the env variables with your temporary credentials. (eg, check out https://www.npmjs.com/package/assume-aws-role)
axelforsberg
When trying to create/update a lambda function with claudia.js using a assumed role and with MFA enabled it fails.
Example config for the accounts: [MasterAccount] aws_access_key_id = [ACCESS_KEY_ID] aws_secret_access_key = [SECRET_ACCESS_KEY]
[SubAccount] role_arn = arn:aws:iam::[SUB_ACCOUNT_ID]:role/[ROLE_NAME] source_profile = MasterAccount mfa_serial = arn:aws:iam::[MASTER_ACCOUNT_ID]:mfa/[LOGIN_NAME]
This setup works perfectly for AWS CLI and GIT interaction with CodeCommit.
Expected behaviour: You should be prompted to enter a MFA code and then the lambda code should be updated.
What actually happens: Error Message (Shorted and anonymized): λ claudia update --profile SubAccount --config dev.claudia.json loading Lambda config lambda.setupRequestListeners { CredentialsError: Missing credentials in config at Request.extractError (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\protocol\query.js:47:29) at Request.callListeners (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\sequential_executor.js:105:20) at Request.emit (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\sequential_executor.js:77:10) at Request.emit (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\request.js:683:14) at Request.transition (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\request.js:22:10) at AcceptorStateMachine.runTo (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\state_machine.js:14:12) at ...\npm\node_modules\claudia\node_modules\aws-sdk\lib\state_machine.js:26:10 at Request. (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\request.js:38:9)
at Request. (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\request.js:685:12)
at Request.callListeners (...\npm\node_modules\claudia\node_modules\aws-sdk\lib\sequential_executor.js:115:18)
message: 'Missing credentials in config',
code: 'CredentialsError'
...
originalError:
{ message: 'Could not load credentials from SharedIniFileCredentials',
code: 'CredentialsError',
...
originalError:
{ message: 'User: arn:aws:iam::[MASTER_ACCOUNT_ID]:user/[USER_NAME] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[SUB_ACCOUNT_ID]:role/[ROLE_NAME]',
code: 'AccessDenied',
...
}
}
}
Steps to reproduce the problem: Setup a user with MFA that assumes a role in another account, config your credentials and then try to create a lambda function with claudia.js with that accounts credentials.