Kops: Support assuming an AWS role with MFA

@ProTip always happy to have you guys help us implement this. Kind of an interesting idea.

I think this is very important for enterprise adoption of kops (FWIW).

Boto3 supports it as does terraform but I've just heard from a friend at another company who just hit this limitation (I hadn't got here yet) so suggest a bit of love goes into addressing this.

On phone at the moment but happy to provide some examples later

@starkers if you are able to assist with a PR, we would love to see this in. We are currently prioritizing work on security for 1.5 and 1.6 releases, and security is a big chunk of the work

I spent a little while looking at this. I assume your bash wrapper is just calling aws sts assume-role and using the temp creds for that? That seems to work just fine (I don't have MFA enabled, but the command obviously supports it).

As guessed in #1723, this is a limitation of the Go AWS SDK: https://docs.aws.amazon.com/sdk-for-go/api/aws/session/:

The SDK does not support assuming a role with MFA token Via the Session's constructor. You can use the stscreds.AssumeRoleProvider credentials provider to specify custom configuration and support for MFA.

This would need a minor PR to accept a role ARN and MFA token, so we know to use the other interface.

Note that for the non-MFA AssumeRole case, kops already works as long as you specify AWS_SDK_LOAD_CONFIG=1.

I spent a little while looking at this. I assume your bash wrapper is just calling aws sts assume-role and using the temp creds for that? That seems to work just fine (I don't have MFA enabled, but the command obviously supports it).

This was our idea as well.

The problem is the SDK does not auto-prompt for MFA code on stdin, so you have to collect it yourself and pass it into the SDK objects.

@justinsb I can contribute a wrapper script for this we're using internally. Where should it go though?

I've got this. Set the KOPS_MFA_ROLE_ARN, and KOPS_MFA_ARN, then run: kops-mfa [kops command] and off you go. Anyone can customize this as they see fit.

#!/usr/bin/env bash

set -euo pipefail

main() {
    local role_arn="${KOPS_MFA_ROLE_ARN:-}"
    local serial_number="${KOPS_MFA_ARN:-}"
    local token_code

    if [ -z "${KOPS_MFA_ROLE_ARN}" ]; then
        echo "Set the KOP_MFA_ROLE_ARN environment variable" 1>&2;
        return 1
    fi

    if [ -z "${KOPS_MFA_ARN}" ]; then
        echo "Set the KOP_MFA_ARN environment variable" 1>&2;
        return 1
    fi

    echo -n "Enter MFA Code: "
    read -s token_code

    # NOTE: The keys should not be exported as AWS_ACCESS_KEY_ID
    # or AWS_SECRET_ACCESS_KEY_ID. This will not work. They
    # should be exported as other names which can be used below. This prevents
    # them from incorrectly being picked up from libraries or commands.
    temporary_credentials="$(aws \
        sts assume-role \
        --role-arn="${role_arn}" \
        --serial-number="${serial_number}" \
        --token-code="${token_code}" \
        --role-session-name="kops-access"
    )"

    unset AWS_PROFILE

    export "AWS_ACCESS_KEY_ID=$(echo "${temporary_credentials}" | jq -re '.Credentials.AccessKeyId')"
    export "AWS_SECRET_ACCESS_KEY=$(echo "${temporary_credentials}" | jq -re '.Credentials.SecretAccessKey')"
    export "AWS_SESSION_TOKEN=$(echo "${temporary_credentials}" | jq -re '.Credentials.SessionToken')"

    kops "$@"
}

main "$@"

@justinsb @chrislovecnm @kris-nova how would you like this work-around script added to the docs?

Please add to docs!

@ahawkins is there a PR for this somewhere? If not please add one! :)

The AWS SDK now has a StdinTokenProvider that we could use:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
}))

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

/reopen

@justinsb: Reopening this issue.

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@fejta-bot: Closing this issue.

@gramidt: You can't reopen an issue/PR unless you authored it or you are a collaborator.

@gramidt: You can't reopen an issue/PR unless you authored it or you are a collaborator.

@justinsb - Could you reopen this?

Also, I would be more than happy to work on this feature. Any current designs in mind?

This seems pretty strait-forward (at least since Feb 2017) to support. https://aws.amazon.com/blogs/developer/assume-aws-iam-roles-with-mfa-using-the-aws-sdk-for-go/

Is there any reason not just not always set AssumeRoleTokenProvider? The blog says

The field is only used if the shared configuration’s profile has a role to assume, and then sets the mfa_serial field. Otherwise, the option is ignored.

It's pretty straightforward to add this, yes, however in order to make this usable, we need to introduce some sort of caching, otherwise Kops would prompt for the MFA every time it makes a call to AWS.

/reopen

@chrisz100: Reopened this issue.

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@fejta-bot: Closing this issue.

/remove-lifecycle rotten

/reopen

@jglick: You can't reopen an issue/PR unless you authored it or you are a collaborator.

@jeyglk doesn't AWS SDK cache credentials under ~/.aws/cli/cache as does CLI?

I don't think this is directly a kops issue, but we can update the docs to refer to a couple of ways to achieve this.

/reopen

@olemarkus: Reopened this issue.

/assign

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

On Sat, Aug 1, 2020, at 00:31, fejta-bot wrote:

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta https://github.com/fejta.
/lifecycle stale

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/kubernetes/kops/issues/226#issuecomment-667510296, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAL6IDQHCELHPE7SUMNBCTR6PVJXANCNFSM4CK7QT5A.

/remove-lifecycle stale

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten