Support MFA prompts when Granted is used with the credential process integration

[chrnorm]

This will allow prompting for MFA. As an example, aws-vault supports osascript for this use case: https://github.com/99designs/aws-vault/blob/master/prompt/osascript.go

[PeterKAE]

This would be useful for our organization. Since we require MFA for most operations, we need to be prompted for MFA to get usable STS credentials. We do get prompted for MFA using Granted when assuming a role, but do not get prompted for MFA for the profile entry associated with the IAM user account.

[chrnorm]

In addition to this, another difference between Granted and aws-vault is that Granted does not retrieve STS credentials when a base profile uses MFA.

My setup was

# ~/.aws/config
[profile edge-prod]
region = us-west-2
mfa_serial = arn:aws:iam::616777145260:mfa/test-granted-mfa

# ~/.aws/credentials
[edge-prod]
aws_access_key_id = AKIAXXXXXX
aws_secret_access_key = XXXXXXXX

and when running assume edge-prod I am not prompted for any MFA and the resulting AWS session uses IAM credentials, not a temporary STS session.

I believe the behaviour here differs between Granted and aws-vault and is something we should look to remediate. Taking a look at aws-vault’s readme, when running aws-vault exec edge-prod the CLI calls STS to obtain temporary credentials (which will cause an MFA prompt), whereas in Granted we just use the IAM credentials.

[PeterKAE]

@chrnorm @shwethaumashanker I noticed this issue was closed, so I just tested the use case of a profile tied to an account with IAM credentials but not assuming a role (uses base IAM user perms). When I run assume edge-prod, I get the response session credentials ready but am not prompted for my MFA code. I also noticed that this command takes my long term keys stored in Keychain via granted credentials add and adds them as env vars in my shell. Using Granted to assume a role via other profiles that use edge-prod as my source_profile prompt for my MFA code and work as expected. Can you reproduce?

[muhannad0]

I can also confirm that it no longer prompts for the MFA when trying to assume a profile that is set as follows (Using granted v0.17.1).

[profile aws-dev]
credential_process = granted credential-process --profile=aws-dev
mfa_serial = arn:aws:iam::<account_id>:mfa/<device_id>
region = us-east-1

Tried directly passing the token using the --mfa-token flag as well, but it's the same message: session credentials ready. However, subsequent aws requests are unauthorized because IAM can't determine if it is an MFA session.

I'm not sure when this behaviour changed, but this setup used to work fine in v0.14.x.

[subpardaemon]

Hi, i can confirm that this is an issue still present in 0.20.0. We use classic IAM + role assumption. If we keep the credentials in its plaintext form, ie. not using the credential_process = granted credential-process --profile=base line granted adds after an import, then MFA works splendidly. Once we add the credentials to the keyring and this line appears in ~/.aws/config it no longer asks for the MFA even if the session expires.

Tried granted cache clear with the session, this does not help. Removing the cached credentials removes the whole keyring, therefore leaving granted in an inoperable state (empty ~/.aws/credentials file).

I'll submit this as a new issue as well.