search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
957 stars 90 forks source link

MFA with chained roles with IAM credentials #562

Open shwethaumashanker opened 7 months ago

shwethaumashanker commented 7 months ago

MFA with chained roles with IAM credentials does not work as expected. Set up to reproduce the error: 

[profile testing]
role_arn       = arn:aws:iam::616777145260:role/example-role
region         = us-west-2
source_profile = testmfa2

[profile testmfa2]
region             = us-west-2
mfa_serial         = arn:aws:iam::616777145260:mfa/Duo-shwetha
credential_process = granted credential-process --profile=testmfa2

❯ assume testing [✘] operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: ec58cdde-7f57-4dcf-b466-b6990cec9c9d, api error InvalidClientTokenId: The security token included in the request is invalid.

It does not correctly recognize that it has to prompt for MFA

jim-weller commented 5 months ago

I think you have your config reversed. It works for me wtih

[profile lxk-iam]
region             = us-east-1
credential_process = granted credential-process --profile=lxk-iam

[profile lxk-sandbox]
role_arn       = arn:aws:iam::000000000000:role/@Global_Administrator
source_profile = lxk-iam
region         = us-east-1
mfa_serial     = arn:aws:iam::111111111111:mfa/mfa-cli
❯ assume lxk-sandbox
? MFA Token