Aws-vault: MFA required every time when using source_profile

Created on 21 Feb 2020  路  6Comments  路  Source: 99designs/aws-vault

  • [x] I am using the latest release of AWS Vault
  • [x] I have provided my .aws/config (redacted if necessary)
  • [x] I have provided the debug output using aws-vault --debug (redacted if necessary)

After having used aws-vault for years I discovered that I can use source_profile to not have to add each of my profiles individually 鈥撀燼nd since I often use a lot of different roles that all are assumed by the same credentials this simplifies things a lot.

However, I noticed it doesn't work to have a profile with mfa_serial with a source_profile that does not have mfa_serial. Or to be specific: it works, but I have to type the MFA code every time, the session doesn't seem to be saved.

I don't know if this is working as intended, or even not solvable. There exist a workaround (add profiles that require MFA separately). I can see how it could be a problem if a profile and its source had different MFAs configured, or if there are multiple profiles with different MFAs configured using the same source profile 鈥撀爄n other words, I can see how it could be that this has no good solution, but I also know too little about how it works to know for sure.

This is how I have things set up (redacted and simplified). In this setup all I have done is aws-vault add theo. The readonly and dev profiles don't require MFA, but I need MFA to use the sysadmin role.

[profile theo]

[profile readonly]
source_profile=theo
role_arn=arn:aws:iam::1234567890:role/readonly

[profile dev]
source_profile=theo
role_arn=arn:aws:iam::1234567890:role/developer

[profile sysadmin]
source_profile=theo
role_arn=arn:aws:iam::1234567890:role/sysadmin
mfa_serial=arn:aws:iam::1234567890:mfa/theo

Here is a session where I first use the readonly profile to list S3, then the sysadmin role, which requires me to enter an MFA code, which is expected, but then I again run the same command with the sysadmin role and again have to enter an MFA code.

If remove source_profile from the sysadmin profile and add credentials using aws-vault add sysadmin I would not have to enter an MFA code the second time.

$ aws-vault exec readonly -- aws s3 ls
2020/02/21 15:29:05 aws-vault v5.3.1
2020/02/21 15:29:05 [keyring] Considering backends: [keychain pass file]
2020/02/21 15:29:05 Loading config file /Users/theo/.aws/config
2020/02/21 15:29:05 Parsing config file /Users/theo/.aws/config
2020/02/21 15:29:05 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:29:05 [keyring] Found 16 results
2020/02/21 15:29:05 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:29:05 [keyring] Found 16 results
2020/02/21 15:29:05 profile theo: using stored credentials
2020/02/21 15:29:05 profile theo: skipping GetSessionToken because profile 'readonly' has no MFA serial defined
2020/02/21 15:29:05 profile readonly: using AssumeRole
2020/02/21 15:29:05 Looking up keyring for 'theo'
2020/02/21 15:29:05 [keyring] Querying keychain for service="aws-vault", account="iconara-theo", keychain="aws-vault.keychain"
2020/02/21 15:29:05 [keyring] Found item "aws-vault (theo)"
2020/02/21 15:29:06 Generated credentials ****************EZCT using AssumeRole, expires in 59m59.615731s
2020/02/21 15:29:06 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2020/02/21 15:29:06 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2020/02/21 15:29:06 Setting subprocess env: AWS_SESSION_EXPIRATION
(redacted output)

$ aws-vault exec sysadmin --debug -- aws s3 ls
2020/02/21 15:30:40 aws-vault v5.3.1
2020/02/21 15:30:40 [keyring] Considering backends: [keychain pass file]
2020/02/21 15:30:40 Loading config file /Users/theo/.aws/config
2020/02/21 15:30:40 Parsing config file /Users/theo/.aws/config
2020/02/21 15:30:41 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:30:41 [keyring] Found 16 results
2020/02/21 15:30:41 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:30:41 [keyring] Found 16 results
2020/02/21 15:30:41 profile theo: using stored credentials
2020/02/21 15:30:41 profile theo: skipping GetSessionToken because MFA serial doesn't match profile 'sysadmin'
2020/02/21 15:30:41 profile sysadmin: using AssumeRole (with MFA)
Enter token for arn:aws:iam::1234567890:mfa/theo: ******
2020/02/21 15:31:53 Looking up keyring for 'theo'
2020/02/21 15:31:53 [keyring] Querying keychain for service="aws-vault", account="theo", keychain="aws-vault.keychain"
2020/02/21 15:31:53 [keyring] Found item "aws-vault (theo)"
2020/02/21 15:31:54 Generated credentials ****************4CU3 using AssumeRole, expires in 59m59.298804s
2020/02/21 15:31:54 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2020/02/21 15:31:54 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2020/02/21 15:31:54 Setting subprocess env: AWS_SESSION_EXPIRATION
(redacted output)

$ aws-vault exec sysadmin --debug -- aws s3 ls
2020/02/21 15:32:24 aws-vault v5.3.1
2020/02/21 15:32:24 [keyring] Considering backends: [keychain pass file]
2020/02/21 15:32:24 Loading config file /Users/theo/.aws/config
2020/02/21 15:32:24 Parsing config file /Users/theo/.aws/config
2020/02/21 15:32:24 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:32:24 [keyring] Found 16 results
2020/02/21 15:32:24 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:32:24 [keyring] Found 16 results
2020/02/21 15:32:24 profile theo: using stored credentials
2020/02/21 15:32:24 profile theo: skipping GetSessionToken because MFA serial doesn't match profile 'sysadmin'
2020/02/21 15:32:24 profile sysadmin: using AssumeRole (with MFA)
Enter token for arn:aws:iam::1234567890:mfa/theo:

Most helpful comment

Adding mfa_serial to the theo role does indeed solve my problem. A little counter-intuitively it does not require me to type MFA codes when I use the readonly and dev profiles 鈥撀燽ut this is exactly how I wanted the setup to work. Thank you.

All 6 comments

https://github.com/99designs/aws-vault/issues/520#issuecomment-587861889 has an example of config that should do what you want, although it's subject to change depending on the outcome of that issue.

The issue is that our mfa caching isn't kicking in (see the skipping GetSessionToken because... log line)

There are 2 underlying issues

  1. we're not caching roles
  2. inferring when to use GetSessionToken is a tricky, and needs further improvement

I'm working on a fix to those, but in the meantime there is a simple fix - add mfa-serial to your theo profile. That will will cause the GetSessionToken to kick in to cache the MFA session, without any effect to readonly or dev

Adding mfa_serial to the theo role does indeed solve my problem. A little counter-intuitively it does not require me to type MFA codes when I use the readonly and dev profiles 鈥撀燽ut this is exactly how I wanted the setup to work. Thank you.

I believe this should be fixed in #569. Let me know if it's not

@mtibben came here with a similar issue. Just upgraded from (I think) 4.x where I was used to my MFA role being cached for 9 hours. On 5.x any duration >1h prevented caching which felt like a big regression. However have now moved to the 6.x beta release and it seems to cache it fine, so thanks for the update!

Great, glad v6 is working out for you

Was this page helpful?
0 / 5 - 0 ratings