SAM CLI does not have first class support for MFA based authentication, which leads to multiple requests for such tokens degrading the overall CLI experience.
- SAM CLI will support default sessions with caching of temporary credentials to a json cache.
- SAM CLI only ever asks for a MFA token once and caches it under the default boto location. This allows for other application that uses default location for caching credentials.
- SAM CLI on the first interaction with any AWS resource using AWS credentials that support MFA credentials creates a prompt which says
Enter MFA Code: xxxxxxxxxxxxxx/xxxx
Note: This MFA code is entered via a U2f/virtual mfa device/gemalto token.
Once the code is entered and successfully validated, this results in temporary caching of the credentials with an sts call.
The only changes are during the setting up the boto3 session in the cli context, this propogates the boto3 session context all the way down across all sub commands of SAM CLI.
There are no breaking changes.
There are no samconfig.toml changes.
What new dependencies (libraries/cli) does this change require?
N/A
What other Docker container images are you using?
N/A
Are you creating a new HTTP endpoint? If so explain how it will be created & used
N/A
Are you connecting to a remote API? If so explain how is this connection secured
- Connect to all aws endpoints, secured with aws credentials.
Are you reading/writing to a temporary folder? If so, what is this used for and when do you clean up?
N/A
How do you validate new .samrc configuration?
N/A
- All unit tests and integration tests pass.
- IAM user with MFA enabled.
- Specific integration test case with a MFA prompt.
- No regressions
- Send a Pull Request with this design document
- Build the command line interface
- Build the underlying library
- Unit tests
- Functional Tests
- Integration tests
- Run all tests on Windows
- Update documentation