-
-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support 2FA #47
Comments
The python tool |
MFA is used in conjunction with Assume Role or Get STS Session Token, both of which can be implemented here. I would like to build this feature, I'm learning Go and have been AWS user for quite a while now. |
@lucagrulla I have added 2FA support, and tested it with role that has 2FA enabled. I can raise PR if you like. |
yes please! Thanks a lot for the help! |
Note: sorry, I didn't see the PR. Anyway, I have been reviewing it, and there is no need of a Hi @lucagrulla !! I think this snippet can solve the issue: https://aws.amazon.com/es/blogs/developer/assume-aws-iam-roles-with-mfa-using-the-aws-sdk-for-go/; just adding this:
in the file https://github.com/lucagrulla/cw/blob/master/cloudwatch/client.go#L52. I am having this issue, so I could test it as soon as you have a release. Thanks! |
Hi @okelet For the time being the best solution for you is to use a third party tool to get the MFA token, then use cw as usual. |
Hi @lucagrulla, anything I can do to help with testing or improving the PR. |
Hi @IndranilVyas and @lucagrulla, I have created the pull request #92 and tested locally without profiles, and with different profiles requiring MFA with AssumeRole and without MFA, all of them working perfectly. It is almost the same than @IndranilVyas did, but without the need of a mfa parameter in the command. Hope this PR can be integrated. But MFA is not cached... Please wait. |
To cache temporary credentials from the session, you need to save to ~/.aws/credentials file or as environment variables |
Yes, just wondering if the Go library has any type of builtin credential cache, like the Python library has, but I cant find any... It looks that the people from kubernetes-sigs/aws-iam-authenticator has done something similar (kubernetes-sigs/aws-iam-authenticator#193), but there is no such option in the standard Go library... |
I tried with my working configuration and also with a vanilla IAM and I don't have the expected behaviour (no MFA request on stdin). @okelet do you mind walking me through your IAM configuration so I can validate that my AWS configuration is correct? |
You can use a credential_process. Advantage is that caching is up to the configured helper, so no need to do anything at the application level. I'm not sure if the Go implementation will fetch a new token after expiration if you tail for a very long period. |
Hi @ntkoopman , thanks for the suggestion. I'll have a look! |
It might be a workaround, but since I find it useful for juggling accounts anyway... I've found aws-vault works great with MFA + cw.
https://github.com/99designs/aws-vault hth |
Is your feature request related to a problem? Please describe.
see #45
Describe the solution you'd like
Support authentication with 2FA.
Additional context
Accounts with 2FA enabled won't work.
The text was updated successfully, but these errors were encountered: