Closed xeger closed 1 year ago
While using awsume role with cli, make sure to add mfa_serial
in the source profile.
Works like a charm, thank you!
For posterity, in case others find this issue, the solution is to use mfa_serial
on the source profile, not on any destination profile.
The AWS CLI will accept either. Given the following ~/.aws/config
:
[default]
[foo]
mfa_serial = arn:aws:iam::123456:mfa/employee@example.com
role_arn = arn:aws:iam::654321:role/User
source_profile=default
I can export AWS_PROFILE=foo
and the aws
command will prompt me for an MFA serial number, using the right token. However, with awsume
, because it understands chains, it will disregard the destination MFA token. So, that attribute must be declared on the source profile in order for awsume
to work correctly.
(It can be declared on all profiles provided its value is the same everywhere, and awsume
will work correctly along with aws
.)
If I assume a profile name with
awsume foo
then it reads my AWS CLI config, infers that an MFA serial needs to be specified, and prompts me for an MFA token. All is good.If I try to assume a role by ARN,
awsume
decides that no MFA token is needed.What am I missing? It would sure be nice to ask for role ARNs in my automation scripts so that my teammates and I don't need to agree on specific profile names!