Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pulumi up is not supporting MFA tokens #584

Closed
josb opened this issue Jun 5, 2019 · 9 comments
Closed

pulumi up is not supporting MFA tokens #584

josb opened this issue Jun 5, 2019 · 9 comments
Assignees
@stack72
Labels
kind/bug Some behavior is incorrect or out of spec resolution/duplicate This issue is a duplicate of another issue

Comments

@josb
Copy link

josb commented Jun 5, 2019
edited

Looks like there's no support for MFA tokens:

/git/pulumi/s3website% pulumi up
Previewing update (dev):

     Type                 Name               Plan     Info
     pulumi:pulumi:Stack  s3website-dev
     └─ aws:s3:Bucket     s3-website-bucket           1 error

Diagnostics:
  aws:s3:Bucket (s3-website-bucket):
    error: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

This is with the following AWS cli config:

[default]
region = <some region>

[profile dev]
region = <some region>
role_arn = arn:aws:iam::<target account>:role/Administrator
source_profile = default
mfa_serial = arn:aws:iam::<source account>:mfa/myuser

I think this is because awsbase.GetCredentials (https://github.com/hashicorp/aws-sdk-go-base/blob/master/awsauth.go#L154) isn't using AssumeRoleTokenProvider as a session option.
@lukehoban
Copy link
Member

This sounds like it might be hashicorp/terraform-provider-aws#5592.

@lukehoban
Copy link
Member

BTW - I have seen several teams use tools like https://github.com/remind101/assume-role in order to assume a role (including an MFA-requiring role) as a separate step from the invocation of pulumi, which can be a workaround for issues like this if needed.

@josb
Copy link
Author

josb commented Jun 6, 2019

I had to apply remind101/assume-role#38 and thus build from source to make this work, but with that, assume-role dev pulumi up worked. Still, it's only a workaround and it makes it more difficult to advocate for Pulumi.

@lukehoban
Copy link
Member

Still, it's only a workaround and it makes it more difficult to advocate for Pulumi.

Completely agreed.

@butschi butschi mentioned this issue Nov 8, 2019
Closed
@tdi
Copy link

tdi commented Nov 28, 2019

I can also recommend this one, which is more CI/CD firendly https://github.com/nordcloud/assume-role-arn

@josb
Copy link
Author

josb commented Dec 2, 2019

@tdi thanks for the recommendation, looks nice.

@lukehoban lukehoban assigned stack72 and unassigned jen20 Jan 23, 2020
@joehillen
Copy link

Is this still an issue? My security teams wants to turn on MFA, but I'm worried it is going to break my stuff.

@josb
Copy link
Author

josb commented Sep 25, 2020

This has not been fixed.

@catmeme catmeme mentioned this issue Feb 24, 2021
Open
@lukehoban lukehoban added kind/bug Some behavior is incorrect or out of spec resolution/duplicate This issue is a duplicate of another issue labels Nov 19, 2022
@lukehoban
Copy link
Member

This and #1366 appear to be the same issue. That one has a little more recent relevant details - so closing this one out as a duplicate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stack72 stack72

Labels
kind/bug Some behavior is incorrect or out of spec resolution/duplicate This issue is a duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@josb @joehillen @lukehoban @stack72 @tdi @jen20