-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support mfa without assume role. #1985
Comments
Marking as a feature request. The CLI currently does not support this, but it would be nice to have. |
Those waiting for this feature might want to have a look at https://github.com/lonelyplanet/aws-mfa (unfortunately it seems unmaintained). One feature I would particularly like in this context is to be able to spawn a sub-shell via a command like |
I've implemented a shell script called aws-session that prompts for MFA credentials and makes them available in an interactive shell (think At the moment it only supports STS GetSessionToken, but I may add AssumeRole support as well. One difference compared to the native AssumeRole support in the CLI is that the temporary credentials (intentionally) do not get persisted, so they can easily be discarded just by closing the shell. |
I've also written something called |
Good Morning! We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI. This will let us get the most important features to you, by making it easier to search for and show support for the features you care the most about, without diluting the conversation with bug reports. As a quick UserVoice primer (if not already familiar): after an idea is posted, people can vote on the ideas, and the product team will be responding directly to the most popular suggestions. We’ve imported existing feature requests from GitHub - Search for this issue there! And don't worry, this issue will still exist on GitHub for posterity's sake. As it’s a text-only import of the original post into UserVoice, we’ll still be keeping in mind the comments and discussion that already exist here on the GitHub issue. GitHub will remain the channel for reporting bugs. Once again, this issue can now be found by searching for the title on: https://aws.uservoice.com/forums/598381-aws-command-line-interface -The AWS SDKs & Tools Team This entry can specifically be found on UserVoice at: https://aws.uservoice.com/forums/598381-aws-command-line-interface/suggestions/33168322-support-mfa-without-assume-role |
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a temporary error. The following address(es) deferred:
[email protected]
Domain salmanwaheed.info has exceeded the max emails per hour (186/150 (124%)) allowed. Message will be reattempted later
…------- This is a copy of the message, including all the headers. ------
Received: from o8.sgmail.github.com ([167.89.101.199]:57580)
by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
(Exim 4.89_1)
(envelope-from <[email protected]>)
id 1ej0RO-001c37-GQ
for [email protected]; Tue, 06 Feb 2018 03:25:31 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com;
h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe;
s=s20150108; bh=Fr89r4On8a1r6VY5SkJJNwy4Nx8=; b=toumNFHfeuc5+40X
sUQLSduCNXTGyvYwL6pVxwTn5ZiEweoerDvNTBBec6XbIR2eutBHKSq+qFqrAcap
2fQ30GzuVgK5cgSjJYeTLXb2SvvdgVxYxqFI/gGRc5Usv4jFk4MQiQsIgZJbxuw5
D5sAFggmG2AzkhUlLX0SyxJptf8=
Received: by filter0035p1las1.sendgrid.net with SMTP id filter0035p1las1-16682-5A79828F-1A
2018-02-06 10:25:19.672583041 +0000 UTC
Received: from github-smtp2a-ext-cp1-prd.iad.github.net (github-smtp2a-ext-cp1-prd.iad.github.net [192.30.253.16])
by ismtpd0014p1iad2.sendgrid.net (SG) with ESMTP id ewEZaVmDRJ-aYMm9WnWRPA
for <[email protected]>; Tue, 06 Feb 2018 10:25:19.573 +0000 (UTC)
Date: Tue, 06 Feb 2018 10:25:19 +0000 (UTC)
From: Andre Sayre <[email protected]>
Reply-To: aws/aws-cli <[email protected]>
To: aws/aws-cli <[email protected]>
Cc: Subscribed <[email protected]>
Message-ID: <aws/aws-cli/issue/1985/issue_event/[email protected]>
In-Reply-To: <aws/aws-cli/issues/[email protected]>
References: <aws/aws-cli/issues/[email protected]>
Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985)
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170";
charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ASayre
X-GitHub-Recipient: salmanwaheed
X-GitHub-Reason: subscribed
List-ID: aws/aws-cli <aws-cli.aws.github.com>
List-Archive: https://github.com/aws/aws-cli
List-Post: <mailto:[email protected]>
List-Unsubscribe: <mailto:unsub+00ef1b38942a318fc72318f5914b2406e7a5c04402e65e0092cf000000011691448f92a169ce094c45b3@reply.github.com>,
<https://github.com/notifications/unsubscribe/AO8bODX4v_faMmuIp_OVmAUccpS9fzY5ks5tSCiPgaJpZM4IjU3M>
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: [email protected]
X-SG-EID: 92ws1MVnlto3blxqXlf5goB0ee0kdDGWR6vcWx8d64/8pOhCcaPkq+rGtzL9C9I6BNj9+S4t9ZKdXQ
SvQf8sFgO9hRFhatpRlEX55HtHVJk/e5l+F0h1xp42Bu9hOU2lvGQ6mZ1ZnyDI7E/qE6i98fMF50dF
HrWm5yGoYIgAbgX8ZL2zqrgHEcP6iZN8v4sb0hr3Nr1Nebm47kD09amqJ8VtA92CLkStJGqDm8nGWA
I=
X-Spam-Status: No, score=-0.4
X-Spam-Score: -3
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Closed aws/aws-cli#1985. -- You are receiving this because you are subscribed
to this thread. Reply to this email directly or view it on GitHub: #1985 (comment)
Closed aws/aws-cli#1985. [...]
Content analysis details: (-0.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: github.com]
-0.5 SPF_PASS SPF: sender matches SPF record
-1.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4)
[167.89.101.199 listed in wl.mailspike.net]
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
2.5 DCC_CHECK No description available.
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.8 RCVD_IN_MSPIKE_WL Mailspike good senders
-1.2 AWL AWL: Adjusted score from AWL reputation of From: address
X-Spam-Flag: NO
----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit
Closed aws/aws-cli#1985.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#1985 (comment)
----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
<p>Closed <a href="#1985" class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="155993523" data-permission-text="Issue title is private" data-url="#1985">#1985</a>.</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="#1985 (comment)">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AO8bOAbyUdUoUCJ0y5JyI3YNzi3YTzPVks5tSCiPgaJpZM4IjU3M">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AO8bOOC6WQJgwWPgUQY_flcImzNILKyOks5tSCiPgaJpZM4IjU3M.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
<link itemprop="url" href="#1985 (comment)"></link>
<meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/aws/aws-cli","title":"aws/aws-cli","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/aws/aws-cli"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Closed aws/aws-cli#1985."}],"action":{"name":"View Issue","url":"#1985 (comment)"}}}</script>
----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170--
|
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a temporary error. The following address(es) deferred:
[email protected]
Domain salmanwaheed.info has exceeded the max emails per hour (187/150 (124%)) allowed. Message will be reattempted later
…------- This is a copy of the message, including all the headers. ------
------ The body of the message is 6170 characters long; only the first
------ 5000 or so are included here.
Received: from github-smtp2-ext6.iad.github.net ([192.30.252.197]:60912 helo=github-smtp2b-ext-cp1-prd.iad.github.net)
by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.89_1)
(envelope-from <[email protected]>)
id 1ej0RR-001c3U-9t
for [email protected]; Tue, 06 Feb 2018 03:25:33 -0700
Date: Tue, 06 Feb 2018 02:25:21 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1517912721;
bh=F4Z/NdKuUHKikHp3+zaJPlQHGZiJ4WDvS4uXRxMSE9g=;
h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
List-Archive:List-Post:List-Unsubscribe:From;
b=Q2NdxaajIIOP9c88o9Ln3Jwp0WrRFsVU2Ektsz4uHoHqNdxq+i5gMV2uKibxOX19L
mg86yb1gQk+DFaEaMDc3ipr8m3XEz/p0Vy3m9UxxscvfgQmMNPGrLzm7ZWvdoJfF3n
Uk8iy1e8O+Pn21zBMPiVfUSSDGY2w9SlQJdQMJiA=
From: Andre Sayre <[email protected]>
Reply-To: aws/aws-cli <[email protected]>
To: aws/aws-cli <[email protected]>
Cc: Subscribed <[email protected]>
Message-ID: <aws/aws-cli/issues/1985/[email protected]>
In-Reply-To: <aws/aws-cli/issues/[email protected]>
References: <aws/aws-cli/issues/[email protected]>
Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985)
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c";
charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ASayre
X-GitHub-Recipient: salmanwaheed
X-GitHub-Reason: subscribed
List-ID: aws/aws-cli <aws-cli.aws.github.com>
List-Archive: https://github.com/aws/aws-cli
List-Post: <mailto:[email protected]>
List-Unsubscribe: <mailto:unsub+00ef1b3806a67678faf26f0a785048b727ee591e85d9594592cf000000011691449192a169ce094c45b3@reply.github.com>,
<https://github.com/notifications/unsubscribe/AO8bOKRhA1vUJ4SDb1X6vZjhZ_VZMP7gks5tSCiRgaJpZM4IjU3M>
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: [email protected]
X-Spam-Status: No, score=-1.1
X-Spam-Score: -10
X-Spam-Bar: -
X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Good Morning! We're closing this issue here on GitHub, as
part of our migration to [UserVoice](https://aws.uservoice.com/forums/598381-aws-command-line-interface)
for feature requests involving the AWS CLI. [...]
Content analysis details: (-1.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: uservoice.com]
-0.5 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.5 AWL AWL: Adjusted score from AWL reputation of From: address
X-Spam-Flag: NO
----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Good Morning!
We're closing this issue here on GitHub, as part of our migration to [Use=
rVoice](https://aws.uservoice.com/forums/598381-aws-command-line-interfac=
e) for feature requests involving the AWS CLI.
This will let us get the most important features to you, by making it eas=
ier to search for and show support for the features you care the most abo=
ut, without diluting the conversation with bug reports.
As a quick UserVoice primer (if not already familiar): after an idea is p=
osted, people can vote on the ideas, and the product team will be respond=
ing directly to the most popular suggestions.
We=E2=80=99ve imported existing feature requests from GitHub - Search for=
this issue there!
And don't worry, this issue will still exist on GitHub for posterity's sa=
ke. As it=E2=80=99s a text-only import of the original post into UserVoi=
ce, we=E2=80=99ll still be keeping in mind the comments and discussion th=
at already exist here on the GitHub issue.
GitHub will remain the channel for reporting bugs. =
Once again, this issue can now be found by searching for the title on: ht=
tps://aws.uservoice.com/forums/598381-aws-command-line-interface =
-The AWS SDKs & Tools Team
-- =
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#1985 (comment)=
----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<p>Good Morning!</p>
<p>We're closing this issue here on GitHub, as part of our migration to <=
a href=3D"https://aws.uservoice.com/forums/598381-aws-command-line-interf=
ace" rel=3D"nofollow">UserVoice</a> for feature requests involving the AW=
S CLI.</p>
<p>This will let us get the most important features to you, by making it =
easier to search for and show support for the features you care the most =
about, without diluting the conversation with bug reports.</p>
<p>As a quick UserVoice primer (if not already familiar): after an idea i=
s posted, people can vote on the ideas, and the product team will be resp=
onding directly to the most popular suggestions.</p>
<p>We=E2=80=99ve imported existing feature requests from GitHub - Search =
for this issue there!</p>
<p>And don't worry, this issue will still exist on GitHub for posterity's=
sake. As it=E2=80=99s a text-only import of the original post into User=
Voice, we=E2=80=99ll still be keeping in mind the comments and discussion=
that already exist here on the GitHub issue.</p>
<p>GitHub will remain the channel for reporting bugs.</p>
<p>Once again, this issue can now be found by searching for the title on:=
<a href=3D"https://aws.uservoice.com/forums/598381-aws-command-line-inte=
rface" rel=3D"nofollow">https://aws.uservoice.com/forums/598381-aws-comma=
nd-line-interface</a></p>
<p>-The AWS SDKs & Tools Team</p>
<p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">&m=
dash;<br />You are receiving this because you are subscribed to this thre=
ad.<br />Reply to this email directly, <a href=3D"https://github.com/aws/=
aws-cli/issues/1985#issuecomment-363378537">view it on GitHub</a>, or <a =
href=3D"https://github.com/notifications/unsubscribe-auth/AO8bOMlWpV1dKXK=
SizUST3b5uTzkSIgnks5tSCiRgaJpZM4IjU3M">mute the thread</a>.<img alt=3D"" =
height=3D"1" src=3D"https://github.com/notifications/beacon/AO8bODBqt6N1r=
l-cepPSV9FjSX2zJ3LZks5tSCiRgaJpZM4IjU3M.gif" width=3D"1" /></p>
<div itemscope itemtype=3D"http://schema.org/EmailMessage">
<div itemprop=3D"action" itemscope itemtype=3D"http://schema.org/ViewActi=
on">
<link itemprop=3D"url" href=3D"#19=
85#issuecomment-363378537"></link>
<meta itemprop=3D"name" content=3D"View Issue"></meta>
</div>
<meta itemprop=3D"description" content=3D"View this Issue on GitHub"></me=
ta>
</div>
<script type=3D"application/json" data-scope=3D"inboxmarkup">{"api_versio=
n":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name"=
:"GitHub"},"entity":{"external_key":"github/aws/aws-cli","title":"aws/aws=
-cli","subtitle":"GitHub repository","main_image_url":"https://cloud.gith=
ubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c=
7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/=
143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name=
":"Open in GitHub","url":"https://github.com/aws/aws-cli"}},"updates":{"s=
nippets":[{"icon":"PERSON","message":"@ASayre in aws/aws-cli#1985: Good Morning!\r\n=
\r\nWe're closing this issue here on GitHub, as part of our migration to =
[UserVoice](https://aws.uservoice.com/forums/598381-aws-command-line-inte=
rface) for feature requests involving the AWS CLI.\r\n\r\nThis will let u=
s get the most important features t
|
Based on community feedback, we have decided to return feature requests to GitHub issues. |
Seems like a dupe of aws/aws-sdk#529 and #3174 |
With AWS Professional Services incessantly pushing MFA and heavy use of account separation and assume-role and friends, the least the tools team could do is keep up, eh? |
this is a common IAM template fragment that the lack of support means things get annoying, fast. A more complete example.
|
Please implement this, like, yesterday. |
How can this not be merged by now? The solution is waiting here. As the others here have said, this would be a great aid in time and a step up in security. |
6 years later and this is not supported. Thousands of mini shell scripts using People will only implement extra protections if it is a good trade off between convenience and added security, and as of right now using MFA on the CLI is a huge inconvenience because of this and #3174. Having worked with a lot of folks using AWS, I can count on my fingers how many permanently adopted MFA for the CLI, and of those who did everyone hacked together some sort of alternative solution to this exact issue. |
Agreed that it's strange to not have been fixed yet, however at least you can have MFA work (be prompted for) as long as the profile you're using assumes a role. Temp credentials are stored in |
I do all that - look at cache, etc. in my scripts. The point is there should NOT be an assume-role required for MFA to be invoked. It's a bogus dependency that the API writers just jammed in there without thinking. The API writers have some glaring blind spots - namely naming consistency for starters. |
I don't disagree, just saying there's an easy workaround -- create a role, allow your user to assume the role, and add the roleARN to your |
Another quarter has lapsed and still nothing. No update, no progress, not even a promise. Even Google supports MFA on gcloud (with token even 👍 ). |
It's becoming embarrassing 🤦. |
Another quarter and this hasn't made any progress. Decision makers should consider this when choosing platforms. |
@whereismypen agree. I bet @glennpratt who originally raised this issue back in 2016 is very close to its retirement age. I may be wrong but my guess is that AWS is working on a DNA based type of authentication for its CLI and I don't think we'll need this feature anymore... no more MFA, ADFS and all that non-sense. That was a joke, but seriously this is a matter of security. What's the point in setting up MFA for the console when most of the developers are using the CLI on a daily basis. |
Let's try it again. More than 6 months later |
After more life experience, here is my $0.02: Any company that has a big enough budget to get AWS to assign developer hours, is not using MFA directly in this way. If you feel differently and work at a big company, then you will need to email this issue to your account's solution architect. That is the only way this will get attention. Don't hesitate. That's what they are there for. |
Given the following profile:
aws-cli never asks for an MFA token and I don't receive IAM permissions granted to MFA users. Here's the policy:
And the error:
If I add a role_arn, then aws-cli asks for an MFA token and assumes role, but we want to grant user permissions without assuming a role.
The text was updated successfully, but these errors were encountered: