Aws-cli: Support mfa without assume role.

Marking as a feature request. The CLI currently does not support this, but it would be nice to have.

Those waiting for this feature might want to have a look at https://github.com/lonelyplanet/aws-mfa (unfortunately it seems unmaintained).

One feature I would particularly like in this context is to be able to spawn a sub-shell via a command like aws shell such that the temporary credentials are only cached in the environment of that shell process rather than written to disk. This feature would also be beneficial in the context of assume role.

I've implemented a shell script called aws-session that prompts for MFA credentials and makes them available in an interactive shell (think sudo -s for AWS).

At the moment it only supports STS GetSessionToken, but I may add AssumeRole support as well. One difference compared to the native AssumeRole support in the CLI is that the temporary credentials (intentionally) do not get persisted, so they can easily be discarded just by closing the shell.

I've also written something called aws-creds which caches credentials (or can be used to invoke a shell with the credentials in it) and also supports AssumeRole. I think there are a few of these out there, I already know two other organisations which have their own scripts for doing this. It would be great to see this implemented in the official tooling.

Good Morning!

We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI.

This will let us get the most important features to you, by making it easier to search for and show support for the features you care the most about, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea is posted, people can vote on the ideas, and the product team will be responding directly to the most popular suggestions.

We’ve imported existing feature requests from GitHub - Search for this issue there!

And don't worry, this issue will still exist on GitHub for posterity's sake. As it’s a text-only import of the original post into UserVoice, we’ll still be keeping in mind the comments and discussion that already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs.

Once again, this issue can now be found by searching for the title on: https://aws.uservoice.com/forums/598381-aws-command-line-interface

-The AWS SDKs & Tools Team

This entry can specifically be found on UserVoice at: https://aws.uservoice.com/forums/598381-aws-command-line-interface/suggestions/33168322-support-mfa-without-assume-role

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a temporary error. The following address(es) deferred:

[email protected]
Domain salmanwaheed.info has exceeded the max emails per hour (186/150 (124%)) allowed. Message will be reattempted later

------- This is a copy of the message, including all the headers. ------
Received: from o8.sgmail.github.com ([167.89.101.199]:57580)
by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
(Exim 4.89_1)
(envelope-from )
id 1ej0RO-001c37-GQ
for [email protected]; Tue, 06 Feb 2018 03:25:31 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com;
h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe;
s=s20150108; bh=Fr89r4On8a1r6VY5SkJJNwy4Nx8=; b=toumNFHfeuc5+40X
sUQLSduCNXTGyvYwL6pVxwTn5ZiEweoerDvNTBBec6XbIR2eutBHKSq+qFqrAcap
2fQ30GzuVgK5cgSjJYeTLXb2SvvdgVxYxqFI/gGRc5Usv4jFk4MQiQsIgZJbxuw5
D5sAFggmG2AzkhUlLX0SyxJptf8=
Received: by filter0035p1las1.sendgrid.net with SMTP id filter0035p1las1-16682-5A79828F-1A
2018-02-06 10:25:19.672583041 +0000 UTC
Received: from github-smtp2a-ext-cp1-prd.iad.github.net (github-smtp2a-ext-cp1-prd.iad.github.net [192.30.253.16])
by ismtpd0014p1iad2.sendgrid.net (SG) with ESMTP id ewEZaVmDRJ-aYMm9WnWRPA
for hello@salmanwaheed.info; Tue, 06 Feb 2018 10:25:19.573 +0000 (UTC)
Date: Tue, 06 Feb 2018 10:25:19 +0000 (UTC)
From: Andre Sayre notifications@github.com
Reply-To: aws/aws-cli reply@reply.github.com
To: aws/aws-cli aws-cli@noreply.github.com
Cc: Subscribed subscribed@noreply.github.com
Message-ID:
In-Reply-To:
References:
Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985)
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170";
charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ASayre
X-GitHub-Recipient: salmanwaheed
X-GitHub-Reason: subscribed
List-ID: aws/aws-cli
List-Archive: https://github.com/aws/aws-cli
List-Post: reply@reply.github.com
List-Unsubscribe: ,
https://github.com/notifications/unsubscribe/AO8bODX4v_faMmuIp_OVmAUccpS9fzY5ks5tSCiPgaJpZM4IjU3M
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: [email protected]
X-SG-EID: 92ws1MVnlto3blxqXlf5goB0ee0kdDGWR6vcWx8d64/8pOhCcaPkq+rGtzL9C9I6BNj9+S4t9ZKdXQ
SvQf8sFgO9hRFhatpRlEX55HtHVJk/e5l+F0h1xp42Bu9hOU2lvGQ6mZ1ZnyDI7E/qE6i98fMF50dF
HrWm5yGoYIgAbgX8ZL2zqrgHEcP6iZN8v4sb0hr3Nr1Nebm47kD09amqJ8VtA92CLkStJGqDm8nGWA
I=
X-Spam-Status: No, score=-0.4
X-Spam-Score: -3
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: Closed #1985. -- You are receiving this because you are subscribed
to this thread. Reply to this email directly or view it on GitHub: https://github.com/aws/aws-cli/issues/1985#event-1459793603
Closed #1985. [...]

Content analysis details: (-0.4 points, 5.0 required)

pts rule name description

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: github.com]
-0.5 SPF_PASS SPF: sender matches SPF record
-1.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4)
[167.89.101.199 listed in wl.mailspike.net]
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
2.5 DCC_CHECK No description available.
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.8 RCVD_IN_MSPIKE_WL Mailspike good senders
-1.2 AWL AWL: Adjusted score from AWL reputation of From: address
X-Spam-Flag: NO

----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit

Closed #1985.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/aws/aws-cli/issues/1985#event-1459793603
----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit

Closed #1985.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170--

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a temporary error. The following address(es) deferred:

[email protected]
Domain salmanwaheed.info has exceeded the max emails per hour (187/150 (124%)) allowed. Message will be reattempted later

------- This is a copy of the message, including all the headers. ------
------ The body of the message is 6170 characters long; only the first
------ 5000 or so are included here.
Received: from github-smtp2-ext6.iad.github.net ([192.30.252.197]:60912 helo=github-smtp2b-ext-cp1-prd.iad.github.net)
by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.89_1)
(envelope-from noreply@github.com)
id 1ej0RR-001c3U-9t
for [email protected]; Tue, 06 Feb 2018 03:25:33 -0700
Date: Tue, 06 Feb 2018 02:25:21 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1517912721;
bh=F4Z/NdKuUHKikHp3+zaJPlQHGZiJ4WDvS4uXRxMSE9g=;
h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
List-Archive:List-Post:List-Unsubscribe:From;
b=Q2NdxaajIIOP9c88o9Ln3Jwp0WrRFsVU2Ektsz4uHoHqNdxq+i5gMV2uKibxOX19L
mg86yb1gQk+DFaEaMDc3ipr8m3XEz/p0Vy3m9UxxscvfgQmMNPGrLzm7ZWvdoJfF3n
Uk8iy1e8O+Pn21zBMPiVfUSSDGY2w9SlQJdQMJiA=
From: Andre Sayre notifications@github.com
Reply-To: aws/aws-cli reply@reply.github.com
To: aws/aws-cli aws-cli@noreply.github.com
Cc: Subscribed subscribed@noreply.github.com
Message-ID:
In-Reply-To:
References:
Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985)
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c";
charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ASayre
X-GitHub-Recipient: salmanwaheed
X-GitHub-Reason: subscribed
List-ID: aws/aws-cli
List-Archive: https://github.com/aws/aws-cli
List-Post: reply@reply.github.com
List-Unsubscribe: ,
https://github.com/notifications/unsubscribe/AO8bOKRhA1vUJ4SDb1X6vZjhZ_VZMP7gks5tSCiRgaJpZM4IjU3M
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: [email protected]
X-Spam-Status: No, score=-1.1
X-Spam-Score: -10
X-Spam-Bar: -
X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root@localhost for details.

Content preview: Good Morning! We're closing this issue here on GitHub, as
part of our migration to UserVoice
for feature requests involving the AWS CLI. [...]

Content analysis details: (-1.1 points, 5.0 required)

pts rule name description

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: uservoice.com]
-0.5 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.5 AWL AWL: Adjusted score from AWL reputation of From: address
X-Spam-Flag: NO

----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Good Morning!

We're closing this issue here on GitHub, as part of our migration to Use=
rVoice for feature requests involving the AWS CLI.

This will let us get the most important features to you, by making it eas=
ier to search for and show support for the features you care the most abo=
ut, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea is p=
osted, people can vote on the ideas, and the product team will be respond=
ing directly to the most popular suggestions.

We=E2=80=99ve imported existing feature requests from GitHub - Search for=
this issue there!

And don't worry, this issue will still exist on GitHub for posterity's sa=
ke. As it=E2=80=99s a text-only import of the original post into UserVoi=
ce, we=E2=80=99ll still be keeping in mind the comments and discussion th=
at already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs. =

Once again, this issue can now be found by searching for the title on: ht=
tps://aws.uservoice.com/forums/598381-aws-command-line-interface =

-The AWS SDKs & Tools Team

-- =

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/aws/aws-cli/issues/1985#issuecomment-363378537=

----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Good Morning!

We're closing this issue here on GitHub, as part of our migration to <= a href=3D"https://aws.uservoice.com/forums/598381-aws-command-line-interf= ace" rel=3D"nofollow">UserVoice for feature requests involving the AW= S CLI.

This will let us get the most important features to you, by making it = easier to search for and show support for the features you care the most = about, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea i= s posted, people can vote on the ideas, and the product team will be resp= onding directly to the most popular suggestions.

We=E2=80=99ve imported existing feature requests from GitHub - Search = for this issue there!

And don't worry, this issue will still exist on GitHub for posterity's= sake. As it=E2=80=99s a text-only import of the original post into User= Voice, we=E2=80=99ll still be keeping in mind the comments and discussion= that already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs.

Once again, this issue can now be found by searching for the title on:= https://aws.uservoice.com/forums/598381-aws-comma= nd-line-interface

-The AWS SDKs & Tools Team

&m= dash;
You are receiving this because you are subscribed to this thre= ad.
Reply to this email directly, view it on GitHub, or mute the thread.