Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

U2F Support #3607

Open
lrvick opened this issue Sep 26, 2018 · 71 comments
Open

U2F Support #3607

lrvick opened this issue Sep 26, 2018 · 71 comments
Labels
feature-request A feature should be added or improved. needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue v2

Comments

@lrvick
Copy link

lrvick commented Sep 26, 2018

Per the AWS blog U2F is now supported for Console login:
https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/

It is especially critical there be a path to support this on the aws-cli so we can tap to perform commands instead of having long lived tokens on disk/memory.

@JensRantil
Copy link

AFAIK, U2F generally only works in a web browser. How would you expect it to be used from CLI? Fire up a browser?

@nbraud
Copy link

nbraud commented Sep 26, 2018

@JensRantil Nope, any sort of application can interact with a U2F token.

Source: I maintain libu2f-* and pam-u2f in Debian ;)

@JordonPhillips
Copy link
Member

Looks like U2F isn't supported for API access yet:

You cannot use MFA-protected API access with U2F security keys.

That said, I've definitely passed this feedback on to the service team. My own experience has been that U2F is 100000x more useable than any other second factor so I'd love to see it even for my own use.

The one caveat is that this would need to be a V2 feature since I'm fairly certain we have to pull in c dependencies to interact with the u2f token.

@nbraud
Copy link

nbraud commented Sep 29, 2018

@JordonPhillips FYI, there is a Python U2F host library from Yubico; it's itself 100% Python, but depends on hidapi, which IIRC uses libusb and libudev.
OTOH, it's already available in all major distros, so that shouldn't be a big deal?

It would also require (like any use of U2F) that the user can interact with the U2F device; Yubico maintains udev rules upstreams in libu2f-host, that I shipped in Debian as libu2f-udev (so they can be installed without pulling in the C library), which is a dependency of task-desktop (starting in Debian 10 “buster”), so most users will have it installed out of the box; in stretch (the current Debian stable), we shipped the udev rules for U2F in the udev package, so it's available there too.
TL;DR: Debian should have the right permissions for U2F devices in jessie onwards (released over a year ago), and so should all Debian derivatives (unless they went out of their way to break U2F...)

@jeffparsons
Copy link

This would be hugely helpful for me. Getting out my phone 10-20 times a day to copy TOTPs is not fun. 😅 If I could just tap my Yubikey instead, my aws-cli experience would be so much more pleasant.

@JordonPhillips JordonPhillips added v2 and removed v2 labels Oct 31, 2018
@JordonPhillips
Copy link
Member

@nbraud it looks like the python interface they use doesn't provide linux wheels, so installing that would require that the user has a compiler installed. This isn't currently a requirement to install the cli, so adding that library would be a breaking change for many users.

@jeffparsons
Copy link

@JordonPhillips Regarding introducing a breaking change... I can imagine a couple of approaches that would let enthusiastic users benefit from this early without breaking things for less adventurous users:

  1. Make it an optional dependency in v1, and then people who really care about it can compile with a special flag to enable it. In this way they opt in to "previewing" what will eventually be part of the v2 client by default.

  2. Split the U2F piece into a separate binary, and detect its presence at runtime. Then users who attempt to use the AWS CLI with U2F would be told "install this other tool" to make it work. So, on Mac, for example, I would be one brew install aws-cli-u2f away from bliss. 😃

@djrodgerspryor
Copy link

Yeah, I'd be more than happy to install an optional compile-from-source module to get this functionality. It would only be needed on developer machines — which would almost always have a compiler already — and not on servers anyway.

@jeamland
Copy link

jeamland commented Nov 5, 2018

An alternative to python-u2f-host would be python-fido2 which gets you out from needing the C libraries for USB HID and means you only need the Cryptography library which ships wheels...

@chrislujan
Copy link

I'll be holding my breath for this 👍

@moritzheiber
Copy link

As far as I understand this issue STS/IAM will have to gain API support for security keys as MFA tokens before moving forward with this?

@jeffparsons
Copy link

jeffparsons commented Jan 2, 2019

As far as I understand this issue STS/IAM will have to gain API support for security keys as MFA tokens before moving forward with this?

Can anyone shed light on this? Surely if it's not already supported then it's just around the corner...?

EDIT:

Please don't let this turn out to be one of those cringeworthy cases where a company assumes none of their customers care about a feature, because they implemented the not-super-useful version and then nobody used it.

I never use the web UI for logging in to the Amazon console. It's all CLI-driven for me, because I have several accounts I need to deal with (etc.). And even if I did use the web UI to log in, then as it stands I'd need to faff about with duplicate accounts of all my existing accounts for use with U2F, because I'd still need to use my old Google/LastPass/whatever authenticator for all aws-cli stuff.

So... AWS's U2F support has the potential to become something that I'd be really enthusiastic about, but without CLI support it's not yet worth touching. I imagine a lot of people are in the same boat.

@Richard-Mathie
Copy link

@jeffparsons totally agree U2F MFA for the CLI/SDK is really needed. I bet they would resist doing the libusb/python-fido approach as it does not map well to doing it on the ruby/java ect SDKs. U2F with a one touch challenge response would be pretty universal though.

btw you can switch accounts in the web console very easily by assuming a role on the other account
like:
https://signin.aws.amazon.com/switchrole?roleName=SomeAdminRole&account=YourAccountNumberOrAlias
see:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html

You can then see the role switcher in your user/account dropdown in the upper right of the page

@Richard-Mathie
Copy link

also this guy might be on to something... https://gist.github.com/woowa-hsw0/caa3340e2a7b390dbde81894f73e379d

@tbublik
Copy link

tbublik commented Apr 18, 2019

Here is also a very good solution https://github.com/kreuzwerker/awsu

@edthamm
Copy link

edthamm commented Jun 1, 2019

Working with multiple mutli-account setups all of them with a separate idp using the same U2F with all of them would be a huge alleviation of toil for me.
I would also have no issue to installing/compiling an additional dependency to get this in v1 as a preview.

Any movement on the issues on the aws side of things?

@anderiv
Copy link

anderiv commented Jun 12, 2019

For what it's worth, aws-vault seems to be fairly close to merging in U2F support: 99designs/aws-vault#316

That said, I am absolutely in favor of adding native U2F support to the official AWS CLI tool.

@arnuschky
Copy link

arnuschky commented Jun 29, 2019

For what it's worth, aws-vault seems to be fairly close to merging in U2F support: 99designs/aws-vault#316

No that's just creating TOTP tokens using the Yubikey. It's a workaround that allows you to use your Yubikey but it's not U2F.

(This is the same what awsu does, it seems.)

@pawelprazak
Copy link

The whole MFA in awscli is a pain to setup and the lack of yubikey support does not help.
MFA in 2019 should be a must not a cutting edge feature.

@khebbie
Copy link

khebbie commented Oct 17, 2019

Any progress on this?

@cellog
Copy link

cellog commented Nov 11, 2019

just ran into this. Please remove support for Yubikey from the web console if you don't plan to support it in the cli. It's a huge time waster to have to google this stuff and find out AWS does not support what it advertises

@dissolved
Copy link

Pretty ridiculous that this issue has been open for 440 days and not resolved yet.

@jandnil
Copy link

jandnil commented Dec 12, 2019

CLI support would as previously stated highly appreciated

@gwynnarth
Copy link

gwynnarth commented Dec 12, 2019

Hi, we would like to enforce MFA for all human users with https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html (for the lack of a better solution) but now it turns out we either have to:

a) give up on the idea altogether, or
b) force everyone to downgrade from using U2F to TOTP.

The fact that IAM does not support multiple MFA devices is a bad joke too...

It's almost year 2020. Convenient and secure (read: U2F) MFA solution is a must, not a luxury in my opinion. Especially in areas where malicious actors can inflict serious financial damage.

AWS, please, please, please, get your act together and work on enhancing your MFA support throughout your ecosystem (CLI, mobile apps, AWS SSO - which does not support U2F too!)

@EmilioEduardo
Copy link

Hi! Any news for supporting yubikeys on AWS CLI commands? Just impossible to have any kind of scripts running securely on my developers machines without that. Credentials as authentication method for physical machines is not exactly efficient and using TOTP is unpractical since we already use yubikeys.

@MartinWie
Copy link

@EmilioEduardo sadly no in the meantime I wrote a opensource tool to use my Yubikey at work, maybe this helps you:
https://github.com/MartinWie/CredoPy

It is not exactly what you want but using ykman to grab the Token from the Yubikey is way more convenient than typing in the token manually. Hope this helps! :)

If you need help adapting it to your needs shoot me a message, same goes for feedback :D

@MichaelWest22
Copy link

One solution to support most U2F keys right now seems to be to use AWS SSO which now supports FIDO/WebAuthn tokens for both console logins AND CLI access. Most current U2F tokens support this but some older ones may not work. Note you need the latest version of the CLI and you have to run "aws configure sso" first time only from a console and it will pop out to a web browser to perform the MFA side of the authentication before returning to the console. It then applies temporary session based AWS credentials to any further aws cli actions. When the credentials expire you will be taken back to a browser to do another MFA authentication step when you do another aws cli command.
https://aws.amazon.com/blogs/aws/multi-factor-authentication-with-webauthn-for-aws-sso/

@fourhundredfour
Copy link

Any Updates? @aws

@staenker
Copy link

staenker commented Jun 1, 2022

to setup and the lack of yubikey support does not help.
MFA in 2019 should be a must not a cutting edge feature.

Reading this in 2022 is even worse.

Dear aws, what the actual flower is that telling about your approach on security?

@dejwsz
Copy link

dejwsz commented Jun 1, 2022

I agree, U2F support should be added. Anything what can raise the level of security should be provided as built-in option.

@giphahne
Copy link

@jamesls @kyleknap: any update on this? using U2F from the aws-cli would be immensely helpful

@anderiv
Copy link

anderiv commented Aug 25, 2022

As @MichaelWest22 mentioned above, awscli's support of SSO (or whatever the name du jour is these days) has more or less scratched this itch for me. I realize not every org has SSO deployed, though, so it's not a global solution. For those where SSO is an option, though, I would highly recommend it.

SSO ought to be a default these days instead of something one may accidentally stumble into after initially just using IAM users.

@sc0ttdav3y
Copy link

I just came here after upgrading to hardware MFA and finding I've broken my aws cli access.

I expect AWS to be at world best practice in terms of cloud security, but it's 2022 and I can't use hardware MFA with the CLI, and I can't register multiple devices per user.

And to make things worse, I come here to find a 4 year old issue 🤦🏻.

Constructively, I'd point out that the YubiKey registers itself as a keyboard, so it can supply its codes into the CLI quite easily. It's just the CLI itself that seems restrained to looking for 6 digit codes and not the longer strong of characters the key generates. Given the longer codes are supported by AWS elsewhere, it seems so simple to fix.

@exussum12
Copy link

I'd point out that the YubiKey registers itself as a keyboard, so it can supply its codes into the CLI quite easily. It's just the CLI itself that seems restrained to looking for 6 digit codes and not the longer strong of characters the key generates. Given the longer codes are supported by AWS elsewhere, it seems so simple to fix.

That code which happens when you press the button on a yubikey in a text editor, has nothing to do with with u2f.

A cli client does exist for u2f though so it's still possible .

The code which you are seeing is a yubico otp (https://docs.yubico.com/yesdk/users-manual/application-otp/yubico-otp.html) which is not as commonly supported over the internet

@gwynnarth
Copy link

My gut tells me that this will never be implemented in a way many people on this thread expect it to. Almost 3 years have passed since my original comment and right now my only gripe with AWS is that they won't state plainly that there is no intention on their end to fix this issue.

Since then, my organization has moved on to AWS SSO for all human users (renamed to IAM Identity Center now - which also kinda tells me that this is the path AWS wants everyone to take) which has a decent MFA support and works quite well with AWS CLI. This really does solve the original issue and I, personally, would be very much surprised to see ANY significant enhancements to the "original" IAM in scenarios where a human user is involved.

You may not like this suggestion (already voiced by @anderiv and @MichaelWest22 earlier) and continue to wait for this issue to be fixed, or you can get over the distaste AWS's lack of clear communication leaves and have a much better security posture right now.
The choice is yours 😉

PS. I also recommend slapping an aws-vault in front for securing these short-term credentials.

@sc0ttdav3y
Copy link

Hey @gwynnarth, thanks for your comment. The take-away I'm most interested in hearing more about is that AWS SSO solves this for the CLI. I guess I'll need to dive into all their marketing guff that I've been avoiding reading due to info overload.

@gwynnarth
Copy link

Sure thing! As it was described in this comment: #3607 (comment) when you configure your CLI to work with AWS SSO, it will pop up a browser window where you authenticate (in our case we're using SAML to integrate with GApps but you can use a built-in SSO identity store). That's where MFA "magic" happens. Modern browsers support U2F, so there's no problem with using a hardware security key + you can have multiple MFAs attached to a single SSO user, which is also a very important improvement over "plain" IAM users.

After authenticating you will be issued an SSO token (expires in something like 8 hours) that will later will be exchanged for short-lived IAM credentials for a particular SSO role that you're permitted to assume. These credentials can be used in actual API calls to AWS. Whenever the short-lived credentials expire the SDK will take care of renewing them automatically (I think). Whenever SSO token expires you will need to re-authenticate with AWS SSO, in turn.

Most apps work seamlessly with SSO nowadays since it's supported in AWS SDKs for various languages, but from time to time you still might run into something that simply expects to have a long-lived access keys in ~/.aws/credentials. For that you might rely on https://github.com/victorskl/yawsso, but remember that if you can make the app read the credentials from ENV variables, then you can make it work with https://github.com/99designs/aws-vault instead and have all your tokens and credentials stored in an encrypted keychain - and only surface them when they're actually needed - which is much more secure. Right now Cyberduck is the only piece of software I was unable to get to work with SSO. Even Serverless has a plugin that makes it work well with SSO: https://www.serverless.com/plugins/serverless-better-credentials

@tim-finnigan tim-finnigan added needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue labels Nov 14, 2022
@kabo
Copy link

kabo commented Nov 17, 2022

One can now configure multiple MFA devices, meaning at least you can use your FIDO key in the console and OTP with the CLI.

https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/

@Endareth
Copy link

Endareth commented Nov 17, 2022

Unfortunately not: "you can associate up to eight MFA devices of the currently supported types". Looks like you can't mix & match, got to be either a single Virtual TOTP, or up to eight FIDO2 devices. I mean, sure, it's an improvement, but only really helps people who never use the CLI.
I could be wrong (not in a position to remove and re-add MFA without breaking stuff right now), anyone else able to test this quickly?

edit: So it looks like this only works when starting fresh with MFA. Can't seem to add extra MFA devices to an existing setup, but a new user allows adding a mix of device types… Still doesn't help with the CLI, but at least it's an improvement.

edit2: Guessing this is still being rolled out—the ability to add extra devices is sometimes visible currently, sometimes not. Reloading the page helped in a couple of cases, but not others… 🤷

@Art3mK
Copy link

Art3mK commented Nov 17, 2022

yeah, works for me with existing user and OTP and adding two yubikeys as additional MFA devices

@larstobi
Copy link

I have registered both one TOTP and one Yubikey, and I can log in to Console using a choice of Yubikey or TOTP, and from the CLI I can still use my TOTP just fine.

@amohar
Copy link

amohar commented Apr 25, 2023

Five years and nothing official on this? I mean, security is important, especially in the cloud, right?

@dejwsz
Copy link

dejwsz commented Apr 25, 2023

If you use AWS IAM Identity Center then you can register now there yubikey and use that in CLI with "aws sso login" which gives you short lived credentials and it works OK.
In other case I needed to register yubikey as TOTP in IAM and for command line client I used "aws-vault" tool as a helper to be able to use it properly. And it also worked for me quite good. But AWS CLI itself still does not support it natively.

@exussum12
Copy link

exussum12 commented Apr 27, 2023

But AWS CLI itself still does not support it natively.

It does.
You need the arn of the device and add this to your config

mfa_serial=arn:aws:iam::{ID}:mfa/{WhateverItsNameIs}

$ aws sts get-caller-identity
Enter MFA code for arn:aws:iam::{ID}:mfa/{WhateverItsNameIs}:

Is then prompted

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

Search for MFA there

@dejwsz
Copy link

dejwsz commented Apr 27, 2023

yes, I know - but it is not ideal though, I have it too in my config of course

@MartinLoeper
Copy link

Got a fresh new Yubikey Bio ready just to find, there is no direct support in tooling like AWS CLI. Classic.

@steinybot
Copy link

Don't worry folks, at AWS, security is their top priority.

Strong security at the core of an organization enables digital transformation and innovation. AWS helps organizations to develop and evolve security, identity, and compliance into key business enablers. At AWS, security is our top priority.

@alexw23
Copy link

alexw23 commented Sep 27, 2023

Have been using SSO lately for CLI and haven't looked back, use with aws-vault to keep a short lived session. No point waiting for AWS to do something that is most likely never going to happen.

@sharpone74
Copy link

How is AWS a multi billion dollar company and this issue still exists from 2018. These keys are friggin everywhere now.

@anderiv
Copy link

anderiv commented Oct 1, 2024

How is AWS a multi billion dollar company and this issue still exists from 2018. These keys are friggin everywhere now.

The answer now, in 2024 is:

Use IAM Identity Center. Then you can use whatever factors you need, with full support in the CLI tools.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request A feature should be added or improved. needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue v2
Projects
None yet
Development

No branches or pull requests