Support mfa without assume role.

[glennpratt]

Given the following profile:

[profile test]
region = us-east-1
mfa_serial = arn:aws:iam::012345678901:mfa/glennpratt

aws-cli never asks for an MFA token and I don't receive IAM permissions granted to MFA users. Here's the policy:

{  
    "Version":"2012-10-17",
    "Statement":[  
        {  
            "Condition":{  
                "NumericLessThan":{  
                    "aws:MultiFactorAuthAge":"43200"
                }
            },
            "Action":"*",
            "Resource":"*",
            "Effect":"Allow"
        }
    ]
}

And the error:

aws iam create-access-key --profile test --user glenn.pratt

A client error (AccessDenied) occurred when calling the CreateAccessKey operation: User: arn:aws:iam::012345678901:user/glennpratt is not authorized to perform: iam:CreateAccessKey on resource: user glennpratt

If I add a role_arn, then aws-cli asks for an MFA token and assumes role, but we want to grant user permissions without assuming a role.

[jamesls]

Marking as a feature request. The CLI currently does not support this, but it would be nice to have.

[ksperling]

Those waiting for this feature might want to have a look at https://github.com/lonelyplanet/aws-mfa (unfortunately it seems unmaintained).

One feature I would particularly like in this context is to be able to spawn a sub-shell via a command like aws shell such that the temporary credentials are only cached in the environment of that shell process rather than written to disk. This feature would also be beneficial in the context of assume role.

[ksperling]

I've implemented a shell script called aws-session that prompts for MFA credentials and makes them available in an interactive shell (think sudo -s for AWS).

At the moment it only supports STS GetSessionToken, but I may add AssumeRole support as well. One difference compared to the native AssumeRole support in the CLI is that the temporary credentials (intentionally) do not get persisted, so they can easily be discarded just by closing the shell.

[pwaller]

I've also written something called aws-creds which caches credentials (or can be used to invoke a shell with the credentials in it) and also supports AssumeRole. I think there are a few of these out there, I already know two other organisations which have their own scripts for doing this. It would be great to see this implemented in the official tooling.

[ASayre]

Good Morning!

We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI.

This will let us get the most important features to you, by making it easier to search for and show support for the features you care the most about, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea is posted, people can vote on the ideas, and the product team will be responding directly to the most popular suggestions.

We’ve imported existing feature requests from GitHub - Search for this issue there!

And don't worry, this issue will still exist on GitHub for posterity's sake. As it’s a text-only import of the original post into UserVoice, we’ll still be keeping in mind the comments and discussion that already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs.

Once again, this issue can now be found by searching for the title on: https://aws.uservoice.com/forums/598381-aws-command-line-interface

-The AWS SDKs & Tools Team

This entry can specifically be found on UserVoice at: https://aws.uservoice.com/forums/598381-aws-command-line-interface/suggestions/33168322-support-mfa-without-assume-role

[salmanwaheed]

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred: [email protected] Domain salmanwaheed.info has exceeded the max emails per hour (186/150 (124%)) allowed. Message will be reattempted later

…

------- This is a copy of the message, including all the headers. ------ Received: from o8.sgmail.github.com ([167.89.101.199]:57580) by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89_1) (envelope-from <[email protected]>) id 1ej0RO-001c37-GQ for [email protected]; Tue, 06 Feb 2018 03:25:31 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=Fr89r4On8a1r6VY5SkJJNwy4Nx8=; b=toumNFHfeuc5+40X sUQLSduCNXTGyvYwL6pVxwTn5ZiEweoerDvNTBBec6XbIR2eutBHKSq+qFqrAcap 2fQ30GzuVgK5cgSjJYeTLXb2SvvdgVxYxqFI/gGRc5Usv4jFk4MQiQsIgZJbxuw5 D5sAFggmG2AzkhUlLX0SyxJptf8= Received: by filter0035p1las1.sendgrid.net with SMTP id filter0035p1las1-16682-5A79828F-1A 2018-02-06 10:25:19.672583041 +0000 UTC Received: from github-smtp2a-ext-cp1-prd.iad.github.net (github-smtp2a-ext-cp1-prd.iad.github.net [192.30.253.16]) by ismtpd0014p1iad2.sendgrid.net (SG) with ESMTP id ewEZaVmDRJ-aYMm9WnWRPA for <[email protected]>; Tue, 06 Feb 2018 10:25:19.573 +0000 (UTC) Date: Tue, 06 Feb 2018 10:25:19 +0000 (UTC) From: Andre Sayre <[email protected]> Reply-To: aws/aws-cli <[email protected]> To: aws/aws-cli <[email protected]> Cc: Subscribed <[email protected]> Message-ID: <aws/aws-cli/issue/1985/issue_event/[email protected]> In-Reply-To: <aws/aws-cli/issues/[email protected]> References: <aws/aws-cli/issues/[email protected]> Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: ASayre X-GitHub-Recipient: salmanwaheed X-GitHub-Reason: subscribed List-ID: aws/aws-cli <aws-cli.aws.github.com> List-Archive: https://github.com/aws/aws-cli List-Post: <mailto:[email protected]> List-Unsubscribe: <mailto:unsub+00ef1b38942a318fc72318f5914b2406e7a5c04402e65e0092cf000000011691448f92a169ce094c45b3@reply.github.com>, <https://github.com/notifications/unsubscribe/AO8bODX4v_faMmuIp_OVmAUccpS9fzY5ks5tSCiPgaJpZM4IjU3M> X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: [email protected] X-SG-EID: 92ws1MVnlto3blxqXlf5goB0ee0kdDGWR6vcWx8d64/8pOhCcaPkq+rGtzL9C9I6BNj9+S4t9ZKdXQ SvQf8sFgO9hRFhatpRlEX55HtHVJk/e5l+F0h1xp42Bu9hOU2lvGQ6mZ1ZnyDI7E/qE6i98fMF50dF HrWm5yGoYIgAbgX8ZL2zqrgHEcP6iZN8v4sb0hr3Nr1Nebm47kD09amqJ8VtA92CLkStJGqDm8nGWA I= X-Spam-Status: No, score=-0.4 X-Spam-Score: -3 X-Spam-Bar: / X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Closed aws/aws-cli#1985. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #1985 (comment) Closed aws/aws-cli#1985. [...] Content analysis details: (-0.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: github.com] -0.5 SPF_PASS SPF: sender matches SPF record -1.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [167.89.101.199 listed in wl.mailspike.net] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 HTML_MESSAGE BODY: HTML included in message 0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.5 DCC_CHECK No description available. -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.8 RCVD_IN_MSPIKE_WL Mailspike good senders -1.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Spam-Flag: NO

----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Closed aws/aws-cli#1985.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #1985 (comment) ----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <p>Closed <a href="#1985" class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="155993523" data-permission-text="Issue title is private" data-url="#1985">#1985</a>.</p> <p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="#1985 (comment)">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AO8bOAbyUdUoUCJ0y5JyI3YNzi3YTzPVks5tSCiPgaJpZM4IjU3M">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AO8bOOC6WQJgwWPgUQY_flcImzNILKyOks5tSCiPgaJpZM4IjU3M.gif" width="1" /></p> <div itemscope itemtype="http://schema.org/EmailMessage"> <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction"> <link itemprop="url" href="#1985 (comment)"></link> <meta itemprop="name" content="View Issue"></meta> </div> <meta itemprop="description" content="View this Issue on GitHub"></meta> </div> <script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/aws/aws-cli","title":"aws/aws-cli","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/aws/aws-cli"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Closed aws/aws-cli#1985."}],"action":{"name":"View Issue","url":"#1985 (comment)"}}}</script> ----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170--

[salmanwaheed]

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred: [email protected] Domain salmanwaheed.info has exceeded the max emails per hour (187/150 (124%)) allowed. Message will be reattempted later

…

------- This is a copy of the message, including all the headers. ------ ------ The body of the message is 6170 characters long; only the first ------ 5000 or so are included here. Received: from github-smtp2-ext6.iad.github.net ([192.30.252.197]:60912 helo=github-smtp2b-ext-cp1-prd.iad.github.net) by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from <[email protected]>) id 1ej0RR-001c3U-9t for [email protected]; Tue, 06 Feb 2018 03:25:33 -0700 Date: Tue, 06 Feb 2018 02:25:21 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1517912721; bh=F4Z/NdKuUHKikHp3+zaJPlQHGZiJ4WDvS4uXRxMSE9g=; h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Q2NdxaajIIOP9c88o9Ln3Jwp0WrRFsVU2Ektsz4uHoHqNdxq+i5gMV2uKibxOX19L mg86yb1gQk+DFaEaMDc3ipr8m3XEz/p0Vy3m9UxxscvfgQmMNPGrLzm7ZWvdoJfF3n Uk8iy1e8O+Pn21zBMPiVfUSSDGY2w9SlQJdQMJiA= From: Andre Sayre <[email protected]> Reply-To: aws/aws-cli <[email protected]> To: aws/aws-cli <[email protected]> Cc: Subscribed <[email protected]> Message-ID: <aws/aws-cli/issues/1985/[email protected]> In-Reply-To: <aws/aws-cli/issues/[email protected]> References: <aws/aws-cli/issues/[email protected]> Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: ASayre X-GitHub-Recipient: salmanwaheed X-GitHub-Reason: subscribed List-ID: aws/aws-cli <aws-cli.aws.github.com> List-Archive: https://github.com/aws/aws-cli List-Post: <mailto:[email protected]> List-Unsubscribe: <mailto:unsub+00ef1b3806a67678faf26f0a785048b727ee591e85d9594592cf000000011691449192a169ce094c45b3@reply.github.com>, <https://github.com/notifications/unsubscribe/AO8bOKRhA1vUJ4SDb1X6vZjhZ_VZMP7gks5tSCiRgaJpZM4IjU3M> X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: [email protected] X-Spam-Status: No, score=-1.1 X-Spam-Score: -10 X-Spam-Bar: - X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Good Morning! We're closing this issue here on GitHub, as part of our migration to [UserVoice](https://aws.uservoice.com/forums/598381-aws-command-line-interface) for feature requests involving the AWS CLI. [...] Content analysis details: (-1.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: uservoice.com] -0.5 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.5 AWL AWL: Adjusted score from AWL reputation of From: address X-Spam-Flag: NO

----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Good Morning! We're closing this issue here on GitHub, as part of our migration to [Use= rVoice](https://aws.uservoice.com/forums/598381-aws-command-line-interfac= e) for feature requests involving the AWS CLI. This will let us get the most important features to you, by making it eas= ier to search for and show support for the features you care the most abo= ut, without diluting the conversation with bug reports. As a quick UserVoice primer (if not already familiar): after an idea is p= osted, people can vote on the ideas, and the product team will be respond= ing directly to the most popular suggestions. We=E2=80=99ve imported existing feature requests from GitHub - Search for= this issue there! And don't worry, this issue will still exist on GitHub for posterity's sa= ke. As it=E2=80=99s a text-only import of the original post into UserVoi= ce, we=E2=80=99ll still be keeping in mind the comments and discussion th= at already exist here on the GitHub issue. GitHub will remain the channel for reporting bugs. = Once again, this issue can now be found by searching for the title on: ht= tps://aws.uservoice.com/forums/598381-aws-command-line-interface =

-The AWS SDKs & Tools Team

-- = You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #1985 (comment)=

----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <p>Good Morning!</p> <p>We're closing this issue here on GitHub, as part of our migration to <= a href=3D"https://aws.uservoice.com/forums/598381-aws-command-line-interf= ace" rel=3D"nofollow">UserVoice</a> for feature requests involving the AW= S CLI.</p> <p>This will let us get the most important features to you, by making it = easier to search for and show support for the features you care the most = about, without diluting the conversation with bug reports.</p> <p>As a quick UserVoice primer (if not already familiar): after an idea i= s posted, people can vote on the ideas, and the product team will be resp= onding directly to the most popular suggestions.</p> <p>We=E2=80=99ve imported existing feature requests from GitHub - Search = for this issue there!</p> <p>And don't worry, this issue will still exist on GitHub for posterity's= sake. As it=E2=80=99s a text-only import of the original post into User= Voice, we=E2=80=99ll still be keeping in mind the comments and discussion= that already exist here on the GitHub issue.</p> <p>GitHub will remain the channel for reporting bugs.</p> <p>Once again, this issue can now be found by searching for the title on:= <a href=3D"https://aws.uservoice.com/forums/598381-aws-command-line-inte= rface" rel=3D"nofollow">https://aws.uservoice.com/forums/598381-aws-comma= nd-line-interface</a></p> <p>-The AWS SDKs &amp; Tools Team</p> <p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">&m= dash;<br />You are receiving this because you are subscribed to this thre= ad.<br />Reply to this email directly, <a href=3D"https://github.com/aws/= aws-cli/issues/1985#issuecomment-363378537">view it on GitHub</a>, or <a = href=3D"https://github.com/notifications/unsubscribe-auth/AO8bOMlWpV1dKXK= SizUST3b5uTzkSIgnks5tSCiRgaJpZM4IjU3M">mute the thread</a>.<img alt=3D"" = height=3D"1" src=3D"https://github.com/notifications/beacon/AO8bODBqt6N1r= l-cepPSV9FjSX2zJ3LZks5tSCiRgaJpZM4IjU3M.gif" width=3D"1" /></p> <div itemscope itemtype=3D"http://schema.org/EmailMessage"> <div itemprop=3D"action" itemscope itemtype=3D"http://schema.org/ViewActi= on"> <link itemprop=3D"url" href=3D"#19= 85#issuecomment-363378537"></link> <meta itemprop=3D"name" content=3D"View Issue"></meta> </div> <meta itemprop=3D"description" content=3D"View this Issue on GitHub"></me= ta> </div> <script type=3D"application/json" data-scope=3D"inboxmarkup">{"api_versio= n":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name"= :"GitHub"},"entity":{"external_key":"github/aws/aws-cli","title":"aws/aws= -cli","subtitle":"GitHub repository","main_image_url":"https://cloud.gith= ubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c= 7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/= 143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name= ":"Open in GitHub","url":"https://github.com/aws/aws-cli"}},"updates":{"s= nippets":[{"icon":"PERSON","message":"@ASayre in aws/aws-cli#1985: Good Morning!\r\n= \r\nWe're closing this issue here on GitHub, as part of our migration to = [UserVoice](https://aws.uservoice.com/forums/598381-aws-command-line-inte= rface) for feature requests involving the AWS CLI.\r\n\r\nThis will let u= s get the most important features t

[jamesls]

Based on community feedback, we have decided to return feature requests to GitHub issues.

[ahl]

Seems like a dupe of aws/aws-sdk#529 and #3174

[tb3088]

With AWS Professional Services incessantly pushing MFA and heavy use of account separation and assume-role and friends, the least the tools team could do is keep up, eh?

[tb3088]

this is a common IAM template fragment that the lack of support means things get annoying, fast. A more complete example.

        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:GetAccountSummary",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }

[cornfeedhobo]

Please implement this, like, yesterday.
#3174
boto/botocore#1399

[whereismypen]

How can this not be merged by now? The solution is waiting here. As the others here have said, this would be a great aid in time and a step up in security.

[Angelin01]

6 years later and this is not supported. Thousands of mini shell scripts using sts assume-role and similar solutions just to get around this.

People will only implement extra protections if it is a good trade off between convenience and added security, and as of right now using MFA on the CLI is a huge inconvenience because of this and #3174. Having worked with a lot of folks using AWS, I can count on my fingers how many permanently adopted MFA for the CLI, and of those who did everyone hacked together some sort of alternative solution to this exact issue.

[irl-segfault]

Agreed that it's strange to not have been fixed yet, however at least you can have MFA work (be prompted for) as long as the profile you're using assumes a role. Temp credentials are stored in ~/.aws/cli/cache, so you don't need a wrapper/scaffold script to update your ~/.aws/credentials file. Having users interact with the API via a Role is a better practice anyways, though I feel everyone's pain.

[tb3088]

I do all that - look at cache, etc. in my scripts. The point is there should NOT be an assume-role required for MFA to be invoked. It's a bogus dependency that the API writers just jammed in there without thinking. The API writers have some glaring blind spots - namely naming consistency for starters.

[irl-segfault]

I don't disagree, just saying there's an easy workaround -- create a role, allow your user to assume the role, and add the roleARN to your ~/.aws/credentials until this is fixed. Agree it's not necessary / confusing.

[whereismypen]

Another quarter has lapsed and still nothing. No update, no progress, not even a promise. Even Google supports MFA on gcloud (with token even 👍 ).

[sebandgo]

It's becoming embarrassing 🤦.
A 6 years old feature request, oh dear...

[whereismypen]

Another quarter and this hasn't made any progress. Decision makers should consider this when choosing platforms.
@SebastianGogoasa - It's past embarrassing.

[sebandgo]

@whereismypen agree. I bet @glennpratt who originally raised this issue back in 2016 is very close to its retirement age.

I may be wrong but my guess is that AWS is working on a DNA based type of authentication for its CLI and I don't think we'll need this feature anymore... no more MFA, ADFS and all that non-sense.

That was a joke, but seriously this is a matter of security. What's the point in setting up MFA for the console when most of the developers are using the CLI on a daily basis.

[gitnik]

Let's try it again. More than 6 months later

[cornfeedhobo]

After more life experience, here is my $0.02:

Any company that has a big enough budget to get AWS to assign developer hours, is not using MFA directly in this way.

If you feel differently and work at a big company, then you will need to email this issue to your account's solution architect. That is the only way this will get attention. Don't hesitate. That's what they are there for.