In the IAM assumable role module, the option to create a role with an MFA condition is not working properly when using long-term credentials. The condition to check if MFA is enabled is currently Bool, which fails when the aws:MultiFactorAuthPresent variable is not present (such as when running with long-term credentials using the AWS CLI).
AWS strongly recommends not doing this, as this breaks the above use case of the AWS CLI.
Instead, they recommend that you use the BoolIfExists operator to check this condition.
Therefor I suggest that you change the operator to BoolIfExists. In addition, I suggest changing the operator for the aws:MultiFactorAuthAge condition to NumericLessThanIfExists to make sure this does not fail either when using a long-term credential type.
[x] ✋ I have searched the open/closed issues and my issue is not listed.
Versions
Module version: 5.44.0
Reproduction Code
I understand that you ask for "code that works without modifications", but uh no.. I will redact things.
It doesn't matter how you set up the describecluster policy, as long as you can assume the role it's fine.
Set up your user's arn in the trusted_role_arns array.
Deploy the code
Use long-term credentials to try and assume the role (via the CLI for example)
Expected behavior
I expect that using the role_requires_mfa makes it so that I can actually use the role using my terminal as well.
I also expect that this AWS module follows AWS's recommendations.
Following from that, I expect the operation of assuming the role to succeed.
Actual behavior
Assuming the role doesn't succeed.
I don't have access, because long-term credentials don't have the aws:MultiFactorAuthPresent condition set to anything, so the Bool operator fails.
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days
Description
In the IAM assumable role module, the option to create a role with an MFA condition is not working properly when using long-term credentials. The condition to check if MFA is enabled is currently
Bool
, which fails when theaws:MultiFactorAuthPresent
variable is not present (such as when running with long-term credentials using the AWS CLI). AWS strongly recommends not doing this, as this breaks the above use case of the AWS CLI.Instead, they recommend that you use the
BoolIfExists
operator to check this condition. Therefor I suggest that you change the operator toBoolIfExists
. In addition, I suggest changing the operator for theaws:MultiFactorAuthAge
condition toNumericLessThanIfExists
to make sure this does not fail either when using a long-term credential type.Versions
Reproduction Code
I understand that you ask for "code that works without modifications", but uh no.. I will redact things.
Steps to reproduce the behavior:
trusted_role_arns
array.Expected behavior
I expect that using the
role_requires_mfa
makes it so that I can actually use the role using my terminal as well.I also expect that this AWS module follows AWS's recommendations.
Following from that, I expect the operation of assuming the role to succeed.
Actual behavior
Assuming the role doesn't succeed. I don't have access, because long-term credentials don't have the
aws:MultiFactorAuthPresent
condition set to anything, so theBool
operator fails.