search

trek10inc / awsume

A utility for easily assuming AWS IAM roles from the command line.
https://awsu.me
MIT License
487 stars 90 forks source link

credential_process and virtual mfa: Not asked for a MFA code #146

Open kirnberger1980 opened 3 years ago

kirnberger1980 commented 3 years ago

We want to use the support of credential_process in awsume in combination with our virtual mfa. The following config file is working fine, when using credential_process with aws cli directly:

[default]
credential_process = /Users/kb/credentials.sh
region=eu-west-1
output=json
cli_pager=cat
mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/kb

[profile accountb]
role_arn=arn:aws:iam::yyyyyyyyyyyyy:role/MySuperRole
region=eu-west-1
output=json
source_profile=default
mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/kb

When we awsume into accountb, we get the following error without asking for an MFA code:

Awsume error: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::xxxxxxxxxxxx:mfa/kb is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::yyyyyyyyyyyyy:role/MySuperRole