AWS Assume Role Doesn't work with MFA Enforced Roles

[bstopp]

I am reopening #472, that issue is marked as "Closed" but still has active discussion as the issue isn't fixed.

I have a user with no access to anything other than the ability to assume a role.

The role has the policies and trust rules as shown in this Gist [1].

I use one profile for holding my standard Access ID & Secret Token, I use a tool to create an profile with MFA access stored in the indicated configuration profile session_profile

With the MFA requirement on the Role's Trust policy the following happens:

$ terraform init -backend-config="role_arn=arn:aws:iam::<<account id>>:role/Terraform"

Initializing the backend...

Error configuring the backend "s3": The role "arn:aws:iam::<<account id>>:role/Terraform" cannot be assumed.

  There are a number of possible causes of this - the most common are:
    * The credentials used in order to assume the role are invalid
    * The credentials do not have appropriate permission to assume the role
    * The role ARN is not valid

Please update the configuration in your Terraform files to fix this error.
If you'd like to update the configuration interactively without storing
the values in your configuration, run "terraform init"

As soon as I remove the MFA requirement:

$ terraform init -backend-config="role_arn=arn:aws:iam::<<account id>>:role/Terraform"

Initializing the backend...

Initializing provider plugins...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

I know that the Role logic and permissions work, as I can access the bucket via the Console.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.aws v1.25.0

Affected Resource(s)

s3 backend and AWS Profile

Expected Behavior

Terraform should initialize correctly and plan/apply should work using the specified Role ARN.

Actual Behavior

Terraform init fails and apply fails due to no MFA.

Steps to Reproduce

(See the associated Gist)

1. Create AWS Role w/ MFA Enforcement
2. Attach S3FullAccess to AWS Role
3. Create group with access to assume the AWS Role
4. Attach the IAM User to the group.
5. Follow the AWS Tutorial for user MFA
6. Attach the User to the MFA Group.
7. Create credentials profile w/ MFA Enabled token
8. Run a terraform init using the profile

References

[1] - https://gist.github.com/bstopp/c62ad43629865e9529d3c7350fa39791

[louisbuchbinder]

It seems the assume-role with a backend provider is not working. Once I modified my backend bucket policy I was able to use the assumed-role in my regular provider for everything else.

[erriapo]

I am using the s3 backend and I don't use the assume_role section in the aws provider. https://erriapo.github.io/aws-assumerole-in-terraform/

[sinsoku]

I have using Terraform via the script to use AssumeRole with MFA.

#!/bin/bash
 
set -e
 
# It generates json referring to the processing of `AssumeRoleCredentialFetcher` and `_create_cache_key`.
#
# memo:
#   * https://github.com/boto/botocore/blob/1.12.162/botocore/credentials.py#L611
#   * https://github.com/boto/botocore/blob/1.12.162/botocore/credentials.py#L690-L692
ROLE_ARGS=$(cat - << EOS
{
  "RoleArn": "$(aws configure get role_arn)",
  "SerialNumber": "$(aws configure get mfa_serial)"
}
EOS
)
CREATE_CACHE_KEY=$(cat - << EOS
import sys, os, json;
from hashlib import sha1;
args = json.load(sys.stdin);
hash = sha1(json.dumps(args, sort_keys=True)).hexdigest();
print hash.replace(':', '_').replace(os.path.sep, '_').replace('/', '_');
EOS
)
CACHE_KEY=$(echo -n "$ROLE_ARGS" | python -c "$CREATE_CACHE_KEY")
CACHE_PATH="$HOME/.aws/cli/cache/$CACHE_KEY.json"
 
if [ -e "$CACHE_PATH" ]; then
  EXPIRATION=$(cat "$CACHE_PATH" | jq --raw-output .Credentials.Expiration)
  EXPIRATION_UNIX=$(date -u -jf %FT%TZ  $EXPIRATION +%s)
  NOW_UNIX=$(date +%s)
 
  if [ $EXPIRATION_UNIX -lt $NOW_UNIX ]; then
    aws sts get-caller-identity > /dev/null
  fi
else
  aws sts get-caller-identity > /dev/null
fi
 
export AWS_ACCESS_KEY_ID=$(cat $CACHE_PATH | jq -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(cat $CACHE_PATH | jq -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(cat $CACHE_PATH | jq -r .Credentials.SessionToken)
 
$*

This script uses ~/.aws/config as well as aws-cli.

# ~/.aws/config
[profile role-with-mfa]
region = us-west-2
role_arn= arn:aws:iam::128716708097:role/cli-role
source_profile = cli-user
mfa_serial = arn:aws:iam::128716708097:mfa/cli-user

You can use AssumeRole with MFA as follows:

$ AWS_PROFILE=role-with-mfa mfa terraform plan
Enter MFA code for arn:aws:iam::128716708097:mfa/cli-user: 

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.