WIP: Add Support for assumeRoles with enforced MFA

[n3ph]

In order to deal with assumeRoles expecting to use MFA we could at least use stscreds.StdinTokenProvider.

This fixes #226 #2420 and enhances #1275
Also requested in hashicorp/terraform#11270 and hashicorp/terraform#1275

[n3ph]

This is working so far by following setup:

1. configuration in .aws/config

[default]
output = json
region = eu-central-1
mfa_serial = arn:aws:iam::000000000000:mfa/some_device

[profile full_access_mfa]
role_arn = arn:aws:iam::111111111111:role/FullAccessMFA
source_profile = default

2. credentials separately in .aws/credentials

[default]
aws_access_key_id = foo
aws_secret_access_key = bar

3. Terraform provider in main.tf

provider "aws" {
  region  = "eu-central-1"
  profile = "full_access_mfa"
  mfa     = true
}

4. AssumeRole arn:aws:iam::111111111111:role/FullAccessMFA

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000000:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

So far there is no prompt showing up. It seems like the stdout from the provider plugin is suppressed. Submitting without entering a code would lead to:

Error: Error running plan: 1 error(s) occurred:

* provider.aws: unexpected newline

Additionally this will not work with multiple providers using MFA enforced assumeRole profiles (https://github.com/aws/aws-sdk-go/blob/master/aws/credentials/stscreds/assume_role_provider.go)

Any suggestions or recommendations how to improve this attempt?

[cornfeedhobo]

@n3ph Love the work you are doing here. Would you be opposed to avoiding the mfa = true configuration parameter? It'd be nice if the provider could automatically deduce that a mfa prompt is needed.

[nergdron]

any idea on when this might get merged? it's pretty important for our workflows, where have enforced MFA and multiple roles.

[kmaris]

@nergdron I have a small wrapper script that I've been using here: https://gitlab.com/kmaris/wtf while this PR gets merged.

[n3ph]

As already described this attempt is not working when you use multiple providers since every MFA Token could be used just once.. This leads to problems like this one:

* provider.aws: error validating provider credentials: error calling sts:GetCallerIdentity: AccessDenied: MultiFactorAuthentication failed with invalid MFA one time pass code. 
	status code: 403, request id: 9ab3efc0-a3bd-11e8-bceb-27eb86ea1be1

I am going to close this..

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!