Similar to issue #132 key rotation is broken in 4.3.0 for non-MFA accounts. This was broken by commit dd7f5c28869fc588b54d256d45144c3240bd3ed2 and reverting it lets aws-vault rotate once more.
Commit dd7f5c288 toggles the NoSession for aws-vault from always-true to always-false, because sessions are needed for MFA rotation. But for non-MFA accounts STS credentials are insufficient to rotate.
Building with 51451d9 I can reproduce a failure:
2018/08/31 15:14:28 Using session ****************GXEH, expires in 3h59m59.876796s
2018/08/31 15:14:28 Using old credentials to create a new access key
aws-vault: error: Failed to get credentials for bridge-website: InvalidClientTokenId: The security token included in the request is invalid
After a git revert of the above commit and local codesign, I can instead rotate cleanly:
% ./aws-vault rotate bridge-website
Rotating credentials for profile "bridge-website" (takes 10-20 seconds)
Done!
I can't properly test the MFA case since my policies allow rotation without MFA, the MFA is only for other write access or cross-account access. I can see that if MFA is required even for rotation then this revert is bad, but don't have time right now to set things up to explore this to write a better patch.
Isn't this because AWS require MFA authenticated STS for any IAM operation when using assumed role.
The only references I've ever found in documentation were to AWS having a hard-coded block on STS for IAM operations, an implicit policy you can't touch, not that it's only blocking non-MFA STS. Thus to my current understanding, MFA only affects aws:MultiFactorAuthPresent blocked operations.
Is there a documentation reference to MFA-STS being allowed for IAM?
The current code is a regression and breaks working configs. I only referenced #281 in the commit message, not the PR. Oops. That doesn't mean this fix is the right fix, only that something does need to change and extracting the decision out into a helper function as this code is probably the right base for doing it.
@philpennock see this:
~ (aws:rean-product)(kc)$ aws-vault exec ${AWS_PROFILE} -- bash
~ (aws:rean-product)(kc)$ aws iam list-roles
An error occurred (InvalidClientTokenId) when calling the ListRoles operation: The security token included in the request is invalid
~ (aws:rean-product)(kc)$ exit
~ (aws:rean-product)(kc)$ aws-vault exec -n ${AWS_PROFILE} -- bash
~ (aws:rean-product)(kc)$ # using non STS session
~ (aws:rean-product)(kc)$ aws iam list-roles
{
"Roles": [
{
No IAM operationwith STS unless using MFA. Let me see if I can find the docs
@philpennock here you go: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
https://github.com/99designs/aws-vault#assuming-roles
I've got the same issue, v4.3.0 breaks existing configuration.
@frezbo Your example shows using non-session credentials, ie the IAM credentials, not using an MFA. That's just "No IAM operation with STS" and MFA doesn't enter into it.
Those docs I'm familiar with and are around role assumption. The aws-vault docs cover what I was doing for access to clients' systems even before switching to use aws-vault and in that case, the aws-vault rotate needs to be on the source profile; the use of MFA to assume a different role is entirely unconnected to how the source profile's credentials are managed and rotated.
My #286 got merged (thank you!); it handles the main cases and encapsulates the logic in one place where it should be easy to refine the heuristic as more cases crop up.
@philpennock I'm pretty sure IAM works with STS when assuming roles with MFA. Let me do a little POC and get back. I will be glad if I'm wrong.
@philpennock This is what I was saying, anyway the PR had nothing to do with it, Sorry for the confusion. I see what you have done.
~ (aws:rean-product)(kc)$ # first exec into shell with IAM creds
~ (aws:rean-product)(kc)$ aws-vault exec -n ${AWS_PROFILE} -- bash
~ (aws:rean-product)(kc)$ # let's get some temporary token
~ (aws:rean-product)(kc)$ rm -rf /tmp/json
~ (aws:rean-product)(kc)$ aws sts get-session-token > /tmp/json
~ (aws:rean-product)(kc)$ # now create with MFA
~ (aws:rean-product)(kc)$ aws sts get-session-token --serial-number arn:aws:iam::<redacted>:mfa/<redacted> --token-code <redacted> > /tmp/json
~ (aws:rean-product)(kc)$
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
~ (aws:rean-product)(kc)$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
~ (aws:rean-product)(kc)$ # now let's souce it over here
~ (aws:rean-product)(kc)$ source <(jq -r < /tmp/json '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "')
~ (aws:rean-product)(kc)$ # try IAM
~ (aws:rean-product)(kc)$ aws iam list-roles > /dev/null
An error occurred (InvalidClientTokenId) when calling the ListRoles operation: The security token included in the request is invalid
~ (aws:rean-product)(kc)$ # failed as expected
~ (aws:rean-product)(kc)$ # source agaib
~ (aws:rean-product)(kc)$ source <(jq -r < /tmp/json '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "')
~ (aws:rean-product)(kc)$ # try IAM
~ (aws:rean-product)(kc)$ aws iam list-roles > /dev/null
~ (aws:rean-product)(kc)$ # it works
@philpennock you can do the same with aws-vault if you have set the mfa_serial in your .aws/config for the profile and have IAM operations with STS. I think this should be explained better in README