AWS SDK writes mfa token challenge to STDOUT

[christian-elsee]

Hi, I am executing eksctl within the context of an assumed role.

$ AWS_PROFILE=AdministratorAccessRole aws sts get-caller-identity \
  | sed -E 's/[0-9]/1/g' \
  | jq -re '.UserId="FUBAR"'
{
  "UserId": "FUBAR",
  "Account": "111111111111",
  "Arn": "arn:aws:sts::111111111111:assumed-role/AdministratorAccessRole/cli"
}

The role obviously requires an MFA challenge for any operation that is not a sts get-caller-identity.

$ AWS_PROFILE=AdministratorAccessRole aws iam get-user --user-name christian \
  | jq -re 'true'
Enter MFA code for arn:aws:iam::123456789:mfa/Christian: 
true
~/Develop/github.com/christian-elsee/eks $ echo $?
0

When executing eksctl with a AWS_PROFILE that requires an MFA challenge, the challenge text is written to STDOUT. I am assuming its supposed to write to /dev/tty, but thats purely speculation.

$ AWS_PROFILE=AdministratorAccessRole dist/bin/eksctl create cluster \
  -f dist/cluster.yaml \
  --dry-run \
| tee dist/plan.yaml
Assume Role MFA token code: 592187
accessConfig:
  authenticationMode: API_AND_CONFIG_MAP
...

Looking at the first two lines from dist/plan.yaml, we see the challenge text.

<dist/plan.yaml sed -n 1,2p
Assume Role MFA token code: accessConfig:
  authenticationMode: API_AND_CONFIG_MAP

Not a big deal, but you know, annoying. I like to use the payload generated from a create cluster --dry-run as a terraformish plan. Cheers

[github-actions[bot]]

Hello christian-elsee :wave: Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website