search

serverless / serverless

⚡ Serverless Framework – Effortlessly build apps that auto-scale, incur zero costs when idle, and require minimal maintenance using AWS Lambda and other managed cloud services.
https://serverless.com
MIT License
46.35k stars 5.69k forks source link

AWS role session duration not used for MFA #10310

Open noahsmartin opened 2 years ago

noahsmartin commented 2 years ago

Are you certain it's a bug?

Is the issue caused by a plugin?

Are you using the latest version?

Is there an existing issue for this?

Issue description

My IAM users require using MFA to assume a role that allows access to most aws resources. This works with serverless by setting the AWS_PROFILE env variable and including 

role_arn = arn:aws:iam::123456:role/RoleName
mfa_serial = arn:aws:iam::123456:mfa/username

in ~/.aws/credentials

With this setup serverless will prompt for an MFA code:

% sls package
Enter MFA code for arn:aws:iam::123456:mfa/username:

This role has a maximum session duration of 1 hour, configured in the AWS console. With the AWS CLI this means I only need to authenticate MFA once an hour, but serverless is prompting for the mfa code on every command. Seems like it should respect the session duration and avoid prompting for new codes.

Service configuration (serverless.yml) content

N/A

Command name and used flags

sls package

Command output

Enter MFA code for arn:aws:iam::123456:mfa/username:

Environment information

Framework Core: 2.68.0
Plugin: 5.5.1
SDK: 4.3.0
Components: 3.18.1
medikoo commented 2 years ago

@noahsmartin serverless shows the prompt only per AWS SDK request (it's not decided individually by the Framework), so there won't be the case where AWS SDK is fine with obtained credentials, and yet Framework without a reason asks for MFA code.

Nonetheless, we're aware of issues in handling AWS credentials, and we have a dedicated issue to tackle that: https://github.com/serverless/serverless/issues/9290