New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/add yubikey #316
Feature/add yubikey #316
Conversation
The build is failing because |
Great job! |
Hi, is there any update on this PR? It would be very useful to have. |
If you don't want to wait for this PR to be merged you can build it yourself, see https://github.com/99designs/aws-vault#development (that's what I've done, works well for me, I use it most days). If you do please report here with your experience of the functionality as it will add impetus to this PR. |
I will give that a try, and report here, thanks! |
Hello there, Great work! Any updates on when this pr would be merged into master ? I'm having problems to build the code from https://github.com/j0hnsmith/aws-vault
./main.go:27:22: cannot use app (type *"gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureGlobals phillip |
@p0bailey Something like this should work
|
I found the code signing directions lacking. Deal with signing aws-vault
go get -u -v github.com/99designs/aws-vault
cd $GOPATH/src/github.com/99designs/aws-vault
make build
codesign --force --sign name-of-certificate ${GOPATH}/src/github.com/99designs/aws-vault/aws-vault
export PATH="$(PWD):$PATH"
# verify signature
codesign -dvv $(which aws-vault) 2>&1 | grep Authority Verify signature
Check out Apple's guide on it here, or find it in |
@j0hnsmith I'm getting the same issue. After switching to your branch:
That's using go1.12 on a mac |
@viraptor if you follow the instructions in #316 (comment) all should be good. |
@mtibben are you happy with the general premise of this PR? If so, what needs to happen to get the build to pass? |
@j0hnsmith That's what I did, with some fixes:
But there is some reproducible issue it seems. |
270eaf0
to
da89887
Compare
@j0hnsmith FYI I've just rebased this |
@viraptor I've just built and installed the rebased version using |
Found the problem - missing directory in the structure - fixed here:
|
Is this already merged to the latest release or it will be included? |
|
@j0hnsmith I've built and tried using the yubikey with I've added the ARN of the yubikey, to Also, it is quite unclear what |
@lox @j0hnsmith can this PR please be expedited? |
What's the status of this @j0hnsmith? I'm reviewing PR's presently, is this ready for review? |
da89887
to
59f3ee6
Compare
@lox I've just rebased against master so yes, absolutely. The build is failing because |
Ok cool. I'll see if I can figure out how to get |
@j0hnsmith great job! I have tested your PR and I found a flaw in ykoath (yawn/ykoath#8) if you stored tokens that require the --touch and tokens that don't, in some cases this PR won't work. I did not have a reply for 10 days, but it would be nice if this PR would work properly. Can you update the commit ID in Also, I found a small quirk with the MFA device being added even if the tokens used are wrong, in this case you might try to do some cleanup. It's not a major issue, as manually doing |
@j0hnsmith it would be nice also if we could have more feedback once the Yubikey button has been pressed. Today it shows:
And nothing more once you pressed it. For tasks that don't output something for seconds it's impossible to know if you have correctly pressed the button or not. If you touch the button multiple times, the console is filled with random chars, otherwise it timeouts and asks for a token. A simple |
@asiragusa Thanks for testing and giving feedback. I've added
In what situation would the token be wrong?
What do you want it updated to, surely your PR has to be merged first? |
Great, thanks!
Given that it's an edge case we can merge this PR and wait for yawn/ykoath#8 to be merged. An issue to remind to update the go.mod will do the trick ;) |
@j0hnsmith I have found a small issue using the In my environment I have forbidden to remove MFA devices without using a MFA token and probably the The output I have is the following:
|
This reverts commit 80a54ed.
don't delete from the yubikey until the mfa device has been deactivated and deleted from aws
aed9720
to
fbbc139
Compare
@asiragusa I've found and fixed the problem with removing a yubikey, the creds used are obtained with a TOTP. This is the policy I tested with (deny is better than allow as an explicit deny will deny regardless of other policies)
I commented out the |
@mtibben rebased |
Awesome, thank you so much @j0hnsmith for this feature! |
I am struggling with using Yubikey-based auth too. I built However, when I add the Yubikey to my account through the AWS console and set the MFA's arn in my
However, if I remove the yubikey from by account via the AWS ui and try to add it through aws-vault, I get the following:
I am a bit lost here. What is |
@arnuschky As long as you can see an entry in Yubikey Authenticator (don't ever manually remove that), I think you need to
|
This is a super neat feature, thanks very much @j0hnsmith, and @mtibben for merging! Sorry if I'm being impatient. Is there an ETA for a GH release of this? There are a number of aws-vault users in our org who would benefit from this feature. Thanks again |
@j0hnsmith I've just run into some problems trying to create a new release of aws-vault due to the introduction of CGO and cross-compilation. I'm going to revert this from master and look to address in a new PR |
Adds Yubikey integration, #230.