MFA support proposal #842
Comments
|
To preempt an obvious response: I am aware I can achieve this effect by manipulating the environment myself. What I would like is a standard way of securely using MFA and roles implemented by the library so that it's not necessary to do this. Software implemented using |
|
Thanks for opening the proposal @pwaller. We'd like to add MFA support to the AWS SDK for Go. This process might help us drive that design, and implementation. I think we can break this issue down into two parts, Currently the only way to get a MFA token into the Once we have the |
|
For the Maybe something like: type TokenProvider interface {
Token() (string, error)
}I'm not sure if this type's method would need to take any input values or not. |
|
Mostly sounds reasonable. I think what needs to happen is first this needs to be made to work: The thing is, the This session token can then later be used to assume roles that require MFA. This is useful because an assumed role's credentials can only last up to 1 hour, whereas a session token can last considerably longer. So I would want to see this cache the |
|
I have put together |
|
Thanks for the clarification @pwaller. I agree the existing |
|
Hi @jasdel, what is the best way to progress this from here? Is it something you are looking to implement before the end of the year, or is that unlikely to happen? |
|
@pwaller thanks for getting back with us. This work is on our backlog. We've not started work on this feature yet. Though we are always glad to help guide any PRs people would like to contribute. For this feature I think the discussion here is on the right track. The implementation could start with a Once we have this working in the SDK we can take a look next how to integrate the shared config file |
|
Hi @jasdel and @pwaller And later using this credentials for the session. Is this a right workaround for MFA? |
|
Hi @jasdel! Do you have any news to share on the topic here? This seems to be a much needed feature, that will ease configuration and usage of tools that builds on this SDK (check this Terraform pull request for example). |
|
Thanks for the request @oli-g I don't have any additional information to share at the moment. This feature is still on our backlog, but requests like this help us prioritize the tasks we address next. |
|
Hi @pwaller, @oli-g, and @zmalik I've created PR #1088 that adds support for MFA tokens with assume role via the shared config via the For this change I went with a function I still need to make another pass over the docs to clarify expectations and usage of the MFA support. It would be great if you could take a look at the PR. Any feedback would be very helpful. |
Adds support for assuming IAM roles with MFA enabled. A TokenProvider
func was added to`stscreds.AssumeRoleProvider` that will be called each
time the role's credentials need to be refreshed. A basic token provider
that sources the MFA token from stdin as `stscreds.StdinTokenProvider`.
This change also adds a new session option, `AssumeRoleTokenProvider`.
The value of this field will be passed to the `stscreds.AssumeRoleProvider`
if the shared configuration is enabled and the config (`~/.aws/config`) or
credentials files (`~/.aws/credentials`) specify a role to assume
with MFA.
In order for the SDK to assume a role with MFA the `SharedConfigState`
session option must be set to `SharedConfigEnable`, or `AWS_SDK_LOAD_CONFIG`
environment variable set.
Creating an AssumeRoleProvider with MFA:
===
```go
// Initial credentials loaded from SDK's default credential chain. Such as
// the environment, shared credentials (~/.aws/credentials), or EC2 Instance
// Role. These credentials will be used to to make the STS Assume Role API.
sess := session.Must(session.NewSession())
// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN. Prompting for MFA token from stdin.
creds := stscreds.NewCredentials(sess, "myRoleARN", func(p *stscreds.AssumeRoleProvider) {
p.SerialNumber = aws.String("myTokenSerialNumberOrARN")
p.TokenProvider = stscreds.StdinTokenProvider
})
// Create service client value configured for credentials
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})
```
Creating a Session with shared config enabled to assume a role with MFA:
===
```go
sess := session.Must(session.NewSessionWithOptions(session.Options{
AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
SharedConfigState: session.SharedConfigEnable,
}))
// Create service client value configured for credentials
// from assumed role.
svc := s3.New(sess)
```
Fix #842
Related To hashicorp/terraform#9349
|
HI All I merged in #1088 which adds MFA support to the SDK. Let us know if you have any issues or feedback. thanks! |
The code currently says
// MFA not supported.In #841 I made some changes to enable any [MFA] + [assume-role] workflow -even a cumbersome one- so I could get started using MFA and have a good process to follow. I don't think this is a good implementation.
It is OK, but it might be possible to do much better. In particular, it doesn't handle credential refreshing. Credentials obtained with
assume-roleare only valid for a maximum of 1 hour, so they cease being usable within an hour and require another MFA token if the assume-role policy demands that there is an MFA token attached to the request. On the other hand,get-session-tokencan be used to get a token which lasts much longer and this token can also be used toassume-rolewithout resupplying the MFA token.Here is the workflow I would like to support:
~/.aws/config:I want to be able to:
AWS_DEFAULT_PROFILE=other-role, and automaticallyassume-roleusing the temporary credentials ala (1) (or request new ones prompting for an MFA token again).Is my request reasonable? Is it straightforward to achieve, or are there hidden pitfalls I haven't spotted? Is my interpretation of how
get-session-tokenandassume-rolewill work together correct?The net effect I want is that the credentials are completely neutered unless MFA has been recently presented by way of a
{"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}applied to the policies which enable the credentials to do anything. Is what I want reasonable?The text was updated successfully, but these errors were encountered: