Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support 2FA #47

Open
lucagrulla opened this issue Jun 7, 2019 · 14 comments
Open

Support 2FA #47

lucagrulla opened this issue Jun 7, 2019 · 14 comments

Comments

@lucagrulla
Copy link
Owner

Is your feature request related to a problem? Please describe.
see #45

Describe the solution you'd like
Support authentication with 2FA.

Additional context
Accounts with 2FA enabled won't work.

@edmundhighcock
Copy link

The python tool aws-mfa takes a profile called 'default-long-term' and then stores all necessary 2fa credentials in the 'default' profile in ~/.aws/credentials. It would be great if this 2fa approach was compatible with cw!

@IndranilVyas
Copy link

MFA is used in conjunction with Assume Role or Get STS Session Token, both of which can be implemented here.

I would like to build this feature, I'm learning Go and have been AWS user for quite a while now.

@IndranilVyas
Copy link

@lucagrulla I have added 2FA support, and tested it with role that has 2FA enabled. I can raise PR if you like.

@lucagrulla
Copy link
Owner Author

yes please!
a PR and some wording about your approach to this would be great!

Thanks a lot for the help!

@okelet
Copy link

okelet commented Jan 2, 2020

Note: sorry, I didn't see the PR. Anyway, I have been reviewing it, and there is no need of a --mfa parameter; the AWS library detects when an MFA is necessary, and will ask for it using the AssumeRoleTokenProvider option. CC @IndranilVyas

Hi @lucagrulla !! I think this snippet can solve the issue: https://aws.amazon.com/es/blogs/developer/assume-aws-iam-roles-with-mfa-using-the-aws-sdk-for-go/; just adding this:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
    SharedConfigState: session.SharedConfigEnable,
}))

in the file https://github.com/lucagrulla/cw/blob/master/cloudwatch/client.go#L52.

I am having this issue, so I could test it as soon as you have a release. Thanks!

@lucagrulla
Copy link
Owner Author

Hi @okelet
Thanks for your help.
I looked at the same documentation you shared and unfortunatelty it's not enough. I also experience inconsistent behaviours when testing PR #82, hence why it's taking me so long time to fix this.

For the time being the best solution for you is to use a third party tool to get the MFA token, then use cw as usual.

@IndranilVyas
Copy link

Hi @lucagrulla, anything I can do to help with testing or improving the PR.

@okelet
Copy link

okelet commented Jan 2, 2020

Hi @IndranilVyas and @lucagrulla, I have created the pull request #92 and tested locally without profiles, and with different profiles requiring MFA with AssumeRole and without MFA, all of them working perfectly. It is almost the same than @IndranilVyas did, but without the need of a mfa parameter in the command. Hope this PR can be integrated.

But MFA is not cached... Please wait.

@IndranilVyas
Copy link

To cache temporary credentials from the session, you need to save to ~/.aws/credentials file or as environment variables

@okelet
Copy link

okelet commented Jan 2, 2020

Yes, just wondering if the Go library has any type of builtin credential cache, like the Python library has, but I cant find any... It looks that the people from kubernetes-sigs/aws-iam-authenticator has done something similar (kubernetes-sigs/aws-iam-authenticator#193), but there is no such option in the standard Go library...

@lucagrulla
Copy link
Owner Author

I tried with my working configuration and also with a vanilla IAM and I don't have the expected behaviour (no MFA request on stdin).

@okelet do you mind walking me through your IAM configuration so I can validate that my AWS configuration is correct?

@ntkoopman
Copy link

You can use a credential_process. Advantage is that caching is up to the configured helper, so no need to do anything at the application level. I'm not sure if the Go implementation will fetch a new token after expiration if you tail for a very long period.

@lucagrulla
Copy link
Owner Author

Hi @ntkoopman , thanks for the suggestion. I'll have a look!

@deadlysyn
Copy link

It might be a workaround, but since I find it useful for juggling accounts anyway... I've found aws-vault works great with MFA + cw.

aws-vault exec <profile> -- ./cw -r <region> tail ...

https://github.com/99designs/aws-vault

hth

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants