Open lucagrulla opened 5 years ago
The python tool aws-mfa
takes a profile called 'default-long-term' and then stores all necessary 2fa credentials in the 'default' profile in ~/.aws/credentials
. It would be great if this 2fa approach was compatible with cw
!
MFA is used in conjunction with Assume Role or Get STS Session Token, both of which can be implemented here.
I would like to build this feature, I'm learning Go and have been AWS user for quite a while now.
@lucagrulla I have added 2FA support, and tested it with role that has 2FA enabled. I can raise PR if you like.
yes please! a PR and some wording about your approach to this would be great!
Thanks a lot for the help!
Note: sorry, I didn't see the PR. Anyway, I have been reviewing it, and there is no need of a --mfa
parameter; the AWS library detects when an MFA is necessary, and will ask for it using the AssumeRoleTokenProvider
option. CC @IndranilVyas
Hi @lucagrulla !! I think this snippet can solve the issue: https://aws.amazon.com/es/blogs/developer/assume-aws-iam-roles-with-mfa-using-the-aws-sdk-for-go/; just adding this:
sess := session.Must(session.NewSessionWithOptions(session.Options{
AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
SharedConfigState: session.SharedConfigEnable,
}))
in the file https://github.com/lucagrulla/cw/blob/master/cloudwatch/client.go#L52.
I am having this issue, so I could test it as soon as you have a release. Thanks!
Hi @okelet Thanks for your help. I looked at the same documentation you shared and unfortunatelty it's not enough. I also experience inconsistent behaviours when testing PR #82, hence why it's taking me so long time to fix this.
For the time being the best solution for you is to use a third party tool to get the MFA token, then use cw as usual.
Hi @lucagrulla, anything I can do to help with testing or improving the PR.
Hi @IndranilVyas and @lucagrulla, I have created the pull request #92 and tested locally without profiles, and with different profiles requiring MFA with AssumeRole and without MFA, all of them working perfectly. It is almost the same than @IndranilVyas did, but without the need of a mfa parameter in the command. Hope this PR can be integrated.
But MFA is not cached... Please wait.
To cache temporary credentials from the session, you need to save to ~/.aws/credentials file or as environment variables
Yes, just wondering if the Go library has any type of builtin credential cache, like the Python library has, but I cant find any... It looks that the people from kubernetes-sigs/aws-iam-authenticator has done something similar (https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/193), but there is no such option in the standard Go library...
I tried with my working configuration and also with a vanilla IAM and I don't have the expected behaviour (no MFA request on stdin).
@okelet do you mind walking me through your IAM configuration so I can validate that my AWS configuration is correct?
You can use a credential_process. Advantage is that caching is up to the configured helper, so no need to do anything at the application level. I'm not sure if the Go implementation will fetch a new token after expiration if you tail for a very long period.
Hi @ntkoopman , thanks for the suggestion. I'll have a look!
It might be a workaround, but since I find it useful for juggling accounts anyway... I've found aws-vault works great with MFA + cw.
aws-vault exec <profile> -- ./cw -r <region> tail ...
https://github.com/99designs/aws-vault
hth
Is your feature request related to a problem? Please describe. see #45
Describe the solution you'd like Support authentication with 2FA.
Additional context Accounts with 2FA enabled won't work.