search

trek10inc / awsume

A utility for easily assuming AWS IAM roles from the command line.
https://awsu.me
MIT License
485 stars 90 forks source link

Unable to specify MFA token when assuming role ARN directly #214

Closed xeger closed 1 year ago

xeger commented 1 year ago

If I assume a profile name with awsume foo then it reads my AWS CLI config, infers that an MFA serial needs to be specified, and prompts me for an MFA token. All is good.

If I try to assume a role by ARN, awsume decides that no MFA token is needed.

$ awsume --debug --role-arn=arn:aws:iam::12345678:role/User --session-name=employee@example.com --source-profile=employer --mfa-token=123456

[2023-01-28 18:24:56,923] default_plugins.py:assume_role_from_cli : [DEBUG] Using the source_profile from the cli to call assume_role
[2023-01-28 18:24:56,923] default_plugins.py:assume_role_from_cli : [DEBUG] MFA not needed, assuming role from with profile creds

Awsume error: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::789626037895:user/anthony.spataro@appfolio.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::756199042854:role/User

What am I missing? It would sure be nice to ask for role ARNs in my automation scripts so that my teammates and I don't need to agree on specific profile names!

MSarfraz-CR commented 1 year ago

While using awsume role with cli, make sure to add mfa_serial in the source profile.

xeger commented 1 year ago

Works like a charm, thank you!

For posterity, in case others find this issue, the solution is to use mfa_serial on the source profile, not on any destination profile.

The AWS CLI will accept either. Given the following ~/.aws/config:

[default]

[foo]
mfa_serial = arn:aws:iam::123456:mfa/employee@example.com
role_arn = arn:aws:iam::654321:role/User
source_profile=default

I can export AWS_PROFILE=foo and the aws command will prompt me for an MFA serial number, using the right token. However, with awsume, because it understands chains, it will disregard the destination MFA token. So, that attribute must be declared on the source profile in order for awsume to work correctly.

(It can be declared on all profiles provided its value is the same everywhere, and awsume will work correctly along with aws.)