Problem with MFA (TOTP) authentication -> "The plugin t could not be found"

opentelekomcloud / python-otcextensions

Extension of the OpenStackSDK && OpenStackClient with OpenTelekomCloud services

https://docs.otc-service.com/python-otcextensions

Apache License 2.0

24 stars 26 forks source link

Problem with MFA (TOTP) authentication -> "The plugin t could not be found" #336

Open mazw77 opened 1 year ago

mazw77 commented 1 year ago

I am trying to use openstack CLI with MFA (authenticator APP on iPhone). But I do not succeed. When using additional settings for MFA/TOTP I get the strange error "The plugin t could not be found"

export OS_AUTH_URL=https://iam.eu-de.otc.t-systems.com:443/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_NAME=eu-de
export OS_PROJECT_DOMAIN_NAME=OTC-EU-DE-000000000010000xxx
export OS_USERNAME=myuser
export OS_USER_DOMAIN_NAME=OTC-EU-DE-000000000010000xxx
export OS_PASSWORD=myPassword
export S3_ACCESS_KEY_ID=myAccessKey
export S3_SECRET_ACCESS_KEY=mySecretKey

[terraform@lindev-mzweiboe ~]$ openstack
(openstack) project list
Failed to discover available identity versions when contacting https://iam.eu-de.otc.t-systems.com:443/v3. Attempting to parse version from URL.
mfa totp code verify fail  (HTTP 401)
(openstack)

export OS_PASSCODE=819539
export OS_AUTH_TYPE=v3multifactor
export OS_AUTH_METHODS=totp

[terraform@lindev-mzweiboe ~]$ openstack
(openstack) project list
The plugin t could not be found
(openstack)

[terraform@lindev-mzweiboe ~]$ openstack --version
openstack 5.8.0

eht16 commented 1 year ago

I think OS_AUTH_METHODS must be a list however I don't know how to define a list as env variable.

I tried it using clouds.yaml and defined it as

    auth_methods: ['totp']
    auth_type: v3multifactor

Though the error message is basically the same: The plugin totp could not be found. Also tried v3totp as auth_type, no change.

Related to this, is there any possibility to bypass MFA for API access? When using the Terraform provider, I just pass my access_key/secret_key of my user and do not need to specify the TOTP code. I tried all possible combinations in cloud.yaml I could think of but without success. If I got it right from the TF provider code, it uses an auth_type of "aksk" but doing so in clouds.yaml gives me again The plugin aksk could not be found. https://github.com/opentelekomcloud/python-otcextensions/issues/43 states that AK/SK authentication is not supported but the Terraform provider seems to be able to use it?

anton-sidelnikov commented 1 year ago

@mazw77 @eht16 did you try this: https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html#mfa-support ?

eht16 commented 1 year ago

@anton-sidelnikov thanks, I just tried it but it also gives: mfa totp code verify fail (HTTP 401)

Though my question was rather how to use AK/SK authentication with the API in a similar way it is done by the Terraform provider.