Unable to use mfa when role_arn is not set.

wallix / awless

A Mighty CLI for AWS

http://awless.io/

Apache License 2.0

4.97k stars 263 forks source link

Unable to use mfa when role_arn is not set. #207

Closed madelaney closed 6 years ago

madelaney commented 6 years ago

I'm trying to use awless (version 0.1.10), with AWS using MFA, awless doesn't ask for the MFA token.

When I try to create the bucket here is the output (including -v and -e flags): awless -v -e create bucket name=testingbucket

[verbose] awless v0.1.10 - loading AWS session with profile 'default' and region 'us-east-1'
[verbose] Dry running template ...
create bucket name=testingbucket

Confirm (region: us-east-1)? [y/N] y
[extra]   resolved template author: user/madelaney
[extra]   s3.CreateBucket call took 1.246356208s
[info]    KO create bucket
          AccessDenied: Access Denied

$HOME/.aws/config

[default]
source_profile = XXXXXX-madelaney
mfa_serial = arn:aws:iam::XXXXXXXXXX:mfa/mdelaney

$HOME/.aws/credentials

[XXXXXX-madelaney]
aws_access_key_id = XXXXX~~~~~XXXXXXX
aws_secret_access_key = XXXXX~~~~~XXXXXXX

fxaguessy commented 6 years ago

Hi @madelaney, Thanks for reporting. This might be related to #196 and 5c172163634e42e7bce4a993e17ee0562f0409f6. Do you know if it worked previously with awless v0.1.9 ?

madelaney commented 6 years ago

@fxaguessy , I just tried using darwin-v0.1.9 and it's still happening.

./awless -v -e create bucket name=hello-there

[verbose] awless v0.1.9 - loading AWS session with profile 'default' and region 'us-east-1'
[verbose] Dry running template ...
create bucket name=hello-there

Confirm? [y/N] y
[extra]   resolved template author: user/madelaney
[extra]   s3.CreateBucket call took 183.16091ms
[info]    KO create bucket
          AccessDenied: Access Denied

(both $HOME/.aws/{config,credentials} were not changed between testing versions)

madelaney commented 6 years ago

Are there docs on how to setup the development environment? I'll see if I can get more information on my side.

Also, do you happen to have a working example of what $HOME/.aws/{config,credentials} should look like when using MFA? Maybe I have some nuance mistake that is causing the issue.

fxaguessy commented 6 years ago

Hello, Sorry, I read too fast the title of the issue. The problem is indeed that there is no role_arn in your config. AFAIK, using MFA without assuming a role was not possible in aws-sdk-go (cf this issue). As a result, for now, the only way to use MFA is assuming a role:

[XXXXXX-madelaney]
aws_access_key_id = XXXXX~~~~~XXXXXXX
aws_secret_access_key = XXXXX~~~~~XXXXXXX

and

[default]
source_profile = XXXXXX-madelaney
mfa_serial = arn:aws:iam::XXXXXXXXXX:mfa/mdelaney
role_arn = arn:aws:iam::XXXXXX:role/mfa-user

madelaney commented 6 years ago

Blurg. Thanks for the link, I'll watch that issue and see what happens.