search

gjbae1212 / gossm

đź’»Interactive CLI tool that you can connect to ec2 using commands same as start-session, ssh in AWS SSM Session Manager
MIT License
423 stars 51 forks source link

Add AssumeRoleTokenProvider opt to session for MFA support #20

Closed tedsmitt closed 3 years ago

tedsmitt commented 3 years ago

Requested in https://github.com/gjbae1212/gossm/issues/19

Test output

=== RUN   TestCmd
--- PASS: TestCmd (0.00s)
=== RUN   TestScpInit
--- PASS: TestScpInit (0.00s)
=== RUN   TestScp
--- PASS: TestScp (0.00s)
=== RUN   TestSessionInit
--- PASS: TestSessionInit (0.00s)
=== RUN   TestSshInit
--- PASS: TestSshInit (0.00s)
=== RUN   TestCallProcess
hello
--- PASS: TestCallProcess (0.00s)
=== RUN   TestPrintReady
[hello] profile: , region: ap-northeast-2, target: 
--- PASS: TestPrintReady (0.00s)
=== RUN   TestFindInstanceId
--- PASS: TestFindInstanceId (0.78s)
=== RUN   TestExecute
gossm is interactive CLI tool that you select server in AWS and then could connect or send files your AWS server using start-session, ssh, scp in AWS Systems Manger Session Manager.

Usage:
  gossm [command]

Available Commands:
  cmd         Exec `run command` under AWS SSM with interactive CLI
  help        Help about any command
  scp         Exec `scp` under AWS SSM with interactive CLI
  ssh         Exec `ssh` under AWS SSM with interactive CLI
  start       Exec `start-session` under AWS SSM with interactive CLI

Flags:
  -c, --cred string      aws credentials file (default is $HOME/.aws/.credentials)
  -h, --help             help for gossm
  -p, --profile string   
                         [optional] if you are having multiple aws profiles, it is one of profiles (default is AWS_PROFILE environment variable or default)
  -r, --region string    [optional] it is region in AWS that would like to do something
  -t, --target string    [optional] it is instanceId of server in AWS that would like to something
  -v, --version          version for gossm

Use "gossm [command] --help" for more information about a command.
--- PASS: TestExecute (0.00s)
=== RUN   TestMakeSession
--- PASS: TestMakeSession (0.01s)
PASS
ok      github.com/gjbae1212/gossm/cmd  1.863s

As per the docs https://docs.aws.amazon.com/sdk-for-go/api/aws/session/

The SDK supports assuming a role with MFA token. If "mfa_serial" is set, you must also set the Session Option.AssumeRoleTokenProvider. The Session will fail to load if the AssumeRoleTokenProvider is not specified.

This will not impact profiles that do not have mfa_serial_arn set. From https://aws.amazon.com/blogs/developer/assume-aws-iam-roles-with-mfa-using-the-aws-sdk-for-go/

There’s no harm in always setting the AssumeRoleTokenProvider session for applications that will always be run by a person. The field is only used if the shared configuration’s profile has a role to assume, and then sets the mfa_serial field. Otherwise, the option is ignored.

I have tested this successfully on: