Support 2FA

[lucagrulla]

Is your feature request related to a problem? Please describe. see #45

Describe the solution you'd like Support authentication with 2FA.

Additional context Accounts with 2FA enabled won't work.

[edmundhighcock]

The python tool aws-mfa takes a profile called 'default-long-term' and then stores all necessary 2fa credentials in the 'default' profile in ~/.aws/credentials. It would be great if this 2fa approach was compatible with cw!

[IndranilVyas]

MFA is used in conjunction with Assume Role or Get STS Session Token, both of which can be implemented here.

I would like to build this feature, I'm learning Go and have been AWS user for quite a while now.

[IndranilVyas]

@lucagrulla I have added 2FA support, and tested it with role that has 2FA enabled. I can raise PR if you like.

[lucagrulla]

yes please! a PR and some wording about your approach to this would be great!

Thanks a lot for the help!

[okelet]

Note: sorry, I didn't see the PR. Anyway, I have been reviewing it, and there is no need of a --mfa parameter; the AWS library detects when an MFA is necessary, and will ask for it using the AssumeRoleTokenProvider option. CC @IndranilVyas

Hi @lucagrulla !! I think this snippet can solve the issue: https://aws.amazon.com/es/blogs/developer/assume-aws-iam-roles-with-mfa-using-the-aws-sdk-for-go/; just adding this:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
    SharedConfigState: session.SharedConfigEnable,
}))

in the file https://github.com/lucagrulla/cw/blob/master/cloudwatch/client.go#L52.

I am having this issue, so I could test it as soon as you have a release. Thanks!

[lucagrulla]

Hi @okelet Thanks for your help. I looked at the same documentation you shared and unfortunatelty it's not enough. I also experience inconsistent behaviours when testing PR #82, hence why it's taking me so long time to fix this.

For the time being the best solution for you is to use a third party tool to get the MFA token, then use cw as usual.

[IndranilVyas]

Hi @lucagrulla, anything I can do to help with testing or improving the PR.

[okelet]

Hi @IndranilVyas and @lucagrulla, I have created the pull request #92 and tested locally without profiles, and with different profiles requiring MFA with AssumeRole and without MFA, all of them working perfectly. It is almost the same than @IndranilVyas did, but without the need of a mfa parameter in the command. Hope this PR can be integrated.

But MFA is not cached... Please wait.

[IndranilVyas]

To cache temporary credentials from the session, you need to save to ~/.aws/credentials file or as environment variables

[okelet]

Yes, just wondering if the Go library has any type of builtin credential cache, like the Python library has, but I cant find any... It looks that the people from kubernetes-sigs/aws-iam-authenticator has done something similar (https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/193), but there is no such option in the standard Go library...

[lucagrulla]

I tried with my working configuration and also with a vanilla IAM and I don't have the expected behaviour (no MFA request on stdin).

@okelet do you mind walking me through your IAM configuration so I can validate that my AWS configuration is correct?

[ntkoopman]

You can use a credential_process. Advantage is that caching is up to the configured helper, so no need to do anything at the application level. I'm not sure if the Go implementation will fetch a new token after expiration if you tail for a very long period.

[lucagrulla]

Hi @ntkoopman , thanks for the suggestion. I'll have a look!

[deadlysyn]

It might be a workaround, but since I find it useful for juggling accounts anyway... I've found aws-vault works great with MFA + cw.

aws-vault exec <profile> -- ./cw -r <region> tail ...

https://github.com/99designs/aws-vault

hth