Hello,
I have a user account with mfa configured. mfa is enforced using a simple policy to deny all if no mfa is present.
aws-vault doesn't seem to use mfa settings for login action if no role_arn is specified in aws config profile, therefore I'm not able to login to main organization.
~/.aws/config
[profile main]
mfa_serial = arn:aws:iam::<account1-number>:mfa/testuser
[profile org]
source_profile=main
mfa_serial = arn:aws:iam::<account1-number>:mfa/testuser
role_arn=arn:aws:iam::<account2-number>:role/OrganizationAccountAccessRole
mfa doesn't work for login action
~> aws-vault login main --stdout
aws-vault: error: Login failed: Failed to get credentials for test_profile: AccessDenied: User: arn:aws:iam::<account1-number>:user/testuser is not authorized to perform: sts:GetFederationToken on resource: arn:aws:sts::<account1-number>:federated-user/testuser with an explicit deny
status code: 403, request id: 9a2dc454-7132-426d-82b4-f89e6b00bc74
~>
login action works well for org profile, where role_arn is specified:
~> aws-vault login org --stdout
Enter token for arn:aws:iam::<account1-number>:mfa/testuser: 123456
https://signin.aws.amazon.com/federation?Action=login&Issuer=aws-vault&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=<token>
~>
however, mfa works for exec action
~> aws-vault exec main -- aws s3 ls
Enter token for arn:aws:iam::<account1-number>:mfa/testuser: 123456
2020-04-07 08:18:21 <bucket-name>
~>
also rotate action works as expected
~> aws-vault rotate main
Rotating credentials stored for profile 'main' using a session from profile 'main' (takes 10-20 seconds)
Creating a new access key
Enter token for arn:aws:iam::<account1-number>:mfa/testuser: 123456
Created new access key ****************FOVS
Deleting old access key ****************YIVL
Enter token for arn:aws:iam::<account1-number>:mfa/testuser: 234567
Deleted old access key ****************YIVL
Finished rotating access key
~>
aws policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllIfNoMFA",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
~> aws-vault --version
v5.4.1
~>
seems I found the answer, the problem lies deeper, in aws api:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html
Other AWS STS API operations that return temporary credentials do not support MFA. For AssumeRoleWithWebIdentity and AssumeRoleWithSAML, the user is authenticated by an external provider and AWS cannot determine whether that provider required MFA. For GetFederationToken, MFA is not necessarily associated with a specific user.
GetFederationToken api call which is used for profiles without role_arn does not support MFA
~> aws-vault exec main --no-session -- aws sts get-federation-token --name test
An error occurred (AccessDenied) when calling the GetFederationToken operation: User: arn:aws:iam::<account1-number>:user/testuser is not authorized to perform: sts:GetFederationToken on resource: arn:aws:sts::<account1-number>:federated-user/test with an explicit deny
~>
Thanks @chrismazanec, feel free to improve the docs to explain this
Apologies for waking up an old thread here, but something doesn't make sense to me:
I have MFA setup, and it's being used by aws-vault upon "exec". However, it's ignored upon "login.
Now, while I understand how this is possible (I'm amazed AWS let's you do this), I don't understand why exec requires MFA then. If GetFederationToken works for Login, why not use it for exec, and get around the entire need for MFA?
@random930 is the session being cached? This would mean the second command whether it's exec or login will use cached session and not require the MFA token again
Nope it's not. I verified it.
On Tue, Sep 8, 2020 at 4:39 PM Michael Tibben notifications@github.com
wrote:
@random930 https://github.com/random930 is the session being cached?
This would mean the second command whether it's exec or login will use
cached session and not require the MFA token again—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/99designs/aws-vault/issues/564#issuecomment-689191754,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AOL3ATPIKQI74WLFO35XGKLSE26CZANCNFSM4MN6B5IA
.
@random930 @chrismazanec did either of you ever find a work around for this issue? It's a real bummer that aws-vault login doesn't work when enforcing MFA.
@Gowiem It's not an issue with aws-vault, it's the AWS API that does not support this use-case - see https://github.com/99designs/aws-vault/issues/564#issuecomment-617651247
@mtibben Yeah, I picked that up from the comment... but just wondering if there was any workaround even with being the case. Maybe the next stop is to open an issue AWS support and see if that is on a roadmap as I'm not understanding why MFA wouldn't be supported for an STS call.
Most helpful comment
seems I found the answer, the problem lies deeper, in aws api:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html
GetFederationToken api call which is used for profiles without
role_arndoes not support MFA