Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the ability to assume a role without entering MFA #22

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add the ability to assume a role without entering MFA #22

wants to merge 3 commits into from

Conversation

maafk
Copy link

@maafk maafk commented Feb 2, 2018

This project is great!
This PR attempts to address a use case I have on a daily basis.

We have an Identity AWS account where we have IAM users, then multiple accounts with roles we can assume. In the Identity account, we must be authenticated with MFA in order to assume roles.

Once I'm authenticated with MFA (get_session_token), I'd like the option to seamlessly assume roles in other accounts without having to key in my MFA code each time, so I want to pass the short-term credentials to the boto3 client.

Taylor Ondrey added 2 commits February 2, 2018 16:04
@broamski
Copy link
Owner

broamski commented Feb 3, 2018

Hi there. You should already be able to accomplish this...from the docs...

This allows you to access multiple environments without the need to run aws-mfa each time you want to switch environments.

If you don't like the a long term suffix, you can omit it by passing the value none for the --long-term-suffix command line argument. After running aws-mfa once for each environment with a different value for --short-term-suffix, your credentials file would read:

[myorganization]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY

[myorganization-account1]
assume_role = arn:aws:iam::222222222222:role/Administrator
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>


[myorganization-account2]
assume_role = arn:aws:iam::333333333333:role/Administrator
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>

[myorganization-account3]
assume_role = arn:aws:iam::444444444444:role/Administrator
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>

Notice the statement assume_role = arn:aws:iam::444444444444:role/Administrator in each section. Please let me know if this helps. Thanks!

@maafk
Copy link
Author

maafk commented Feb 5, 2018

Hi @broamski

This all makes sense, however I'm trying to eliminate the need to key in my MFA token more than once per 12 hours.

I have an IAM user who must be authenticated with MFA. Once they're authenticated with MFA, and I have a short-term credential for them, I'd like to create another short-term credential with an assumed role, but I'd like to use the first short-term credential without keying in the MFA token again.

For example the myuser user has the permissions to assume roles as long as they're authenticated with MFA. The Role I'm trying to assume trusts the source account. The myuser can assume the AuditRole without providing the SerialNumber and TokenCode in the assume_role boto3 call.

$ export MFA_DEVICE=arn:aws:iam::12345678990:mfa/myuser
$ aws-mfa --profile development
INFO - Validating credentials for profile: development
INFO - Short term credentials section development is missing, obtaining new credentials.
Enter AWS MFA code for device [arn:aws:iam::12345678990:mfa/myuser] (renewing for 43200 seconds):083957
INFO - Fetching Credentials - Profile: development, Duration: 43200
INFO - Success! Your credentials will expire in 43200 seconds at: 2018-02-06 02:54:20+00:00
$ aws-mfa --profile development --long-term-suffix none --short-term-suffix auditor --assume-role arn:aws:iam::98765432110:role/AuditRole --role-session-name some-name
INFO - Validating credentials for profile: development-auditor with assumed role: arn:aws:iam::98765432110:role/AuditRole
INFO - Short term credentials section development-auditor is missing, obtaining new credentials.
Enter AWS MFA code for device [arn:aws:iam::12345678990:mfa/myuser] (renewing for 3600 seconds):898527

When I look at the code it always prompts the user to enter their MFA token code, even when the role can be assumed without the SerialNumber and TokenCode, which prompted this pull request.

I hope I'm making sense and not missing anything obvious!

Thanks!

@maafk
Copy link
Author

maafk commented Feb 5, 2018

@broamski I'm realizing I'm ignoring the --long-term-suffix and --short-term-suffix in the PR. I'll modify to keep using them, but to add a flag to not prompt the user for an MFA token

@maafk
Copy link
Author

maafk commented Feb 21, 2018

@broamski Any thoughts on this? Thanks!

@lied
Copy link

lied commented Apr 9, 2020

Any changes that this will get merged? I'll need this feature as well.

@maafk
Copy link
Author

maafk commented Apr 9, 2020
edited
Loading

@lied I'd recommend using awsu.me.

Supports this feature and the project is better maintained. I use awsu.me exclusively now

@lied
Copy link

lied commented Apr 9, 2020

@maafk Wow! Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maafk @broamski @lied