retrive session credentials recurisvely #369
Conversation
|
YES! I've been meaning to make an attempt at patching this. This is the only gripe our developers have -- we require MFA for every assume role and have architected our AWS organization using the latest multi-account reference architecture so we have quite a bit of accounts & roles. I'm got your branch built locally and will report back if I come across any issues. |
There was a problem hiding this comment.
Helped with some of the documentation. Might also want to consider updating the example in USAGE.md
README.md
Outdated
| @@ -94,6 +94,36 @@ Then when you use the `admin` profile, `aws-vault` will look in the `read-only` | |||
|
|
|||
| **Note:** If you have an MFA device attached to your account, the STS service will generate session tokens that are *invalid* unless you provide an MFA code. To enable MFA for a profile, specify the `mfa_serial` in `~/.aws/config`. You can retrieve the MFA's serial (ARN) in the web console, or you can usually derive it pretty easily using the format `arn:aws:iam::[account-id]:mfa/[your-iam-username]`. If you have an account with an MFA associated, but you don't provide the IAM, you are unable to call IAM services, even if you have the correct permissions to do so. `mfa_serial` will not be inherited from the profile designated in `source_profile` - you must include a reference to `mfa_serial` in every profile you wish to use it with. | |||
|
|
|||
| Alternatively, you can also specify your `mfa_serial` on your source profile. This can be very convenient if you routinely assume multiple roles from the same source because you will only need to provide an MFA token once per source profile session: | |||
There was a problem hiding this comment.
The above line has a sentence which these changes contradict: mfa_serial will not be inherited from the profile designated in source_profile. From reviewing the changes you made, I think we can clean up the docs a bit. Removing the last sentence from L95, I would replace your docs with the following to clear up how the behavior has changed. Also fixed some of the source_profile examples to be working and the double mfa_serial=mfa_serial= in the first example.
mfa_serial will be inherited from the profile designated in source_profile, this can be very convenient if you routinely assume multiple roles from the same source as a MFA token is only provided once per source_profile session. You can always omit the mfa_serial on the source_profile to make MFA role-specific.
Here is an example where two roles defined in profile's admin-a & admin-b do not have the mfa_serial attribute, inheriting from the master profile instead.
[profile master]
mfa_serial = arn:aws:iam::123456789012:mfa/jonsmith
[profile admin-a]
source_profile = master
role_arn = arn:aws:iam::123456789012:role/admin-access
[profile admin-b]
source_profile = master
role_arn = arn:aws:iam::987654321987:role/admin-accessThe developer only needs to configure their master profile; the list of profile config can be copied from a wiki (this is very useful when you have 25+ aws accounts with multiple roles in each).
You can also define a chain of roles to assume:
[profile master]
mfa_serial=mfa_serial = arn:aws:iam::123456789012:mfa/jonsmith
[profile intermediary]
source_profile = master
role_arn = arn:aws:iam::123456789012:role/intermediary
[profile target]
source_profile = intermediary
role_arn = arn:aws:iam::123456789012:role/targetThere was a problem hiding this comment.
Ah, good suggestions. I incorporated your feedback in a new commit, but I didn't bother changing the profile name from read-only to master b/c I thought it was preferable to use names consistent with the other examples.
jstewmon
force-pushed
the
recursive-retrieve
branch
from
cb735cf
to
2300e4a
Compare
|
Just leaving a note here that I'm still looking at the rotate command to make it respect the Edit: rotate now respects mfa_serial on the profile |
|
@lox I think this reasonably complete now if you would be so kind as to review and provide feedback. |
jstewmon
force-pushed
the
recursive-retrieve
branch
from
f7b26cf
to
a47b8b9
Compare
- mfa token only needs to be provided once per source rather than once per profile by adding `mfa_serial = <arn>` to the root source profile - allows assume role chains (e.g. roleB <- roleA <- master)
The flag defaults to false but will be switched to true if the given profile does not have a SourceProfile, since a session token cannot be used to create a sign in url. SessionDuration must be omitted from the request to get the sign in token if the credentials were from an assumed role that used a session.
| if err != nil { | ||
| return credentials.Value{}, err | ||
| } | ||
| if profile, exists := p.config.Profile(p.profile); exists && profile.SourceProfile != "" { |
There was a problem hiding this comment.
Reading this code without the PR context takes a while to parse intent. Perhaps update the comment to make it clear what is happening and why?
There was a problem hiding this comment.
Updated the comment to explain the control flow.
|
This seems like a good idea to me and the implementation looks sound. I wonder how the aws-cli handles |
|
@lox thanks for the review! botocore and the aws-cli only recognizes the I didn't anticipate this being a concern b/c an aws-vault managed config is already incompatible with the AWS toolchain, since the latter always expects the root profile to contain the credentials. In my experience, the maintainers of the SDKs (and aws-cli) are interested in improving developer ergonomics with capabilities like this, but the credentials providers in botocore can be difficult to update for historical reasons. For example: boto/botocore#1329 I think that a plan that reasonably converges compatibility between aws-vault and the cli would be to add another feature to aws-vault to allow it to act as a |
|
I swear we implemented I think that context makes sense, we should put it in the README to describe how we approach compatibility with |
|
@lox , you're right about It looks like our new behavior is buggy with that flag because the |
|
@jstewmon Thanks for that catch, when I implemented |
|
I do love how this feature simplifies the config file. |
|
@FernandoMiguel what flag are you passing? Login doesn’t respect the same environment variables that exec does, but you can pass the flag. I’ve tested this up to 1hr which is my max configured time to have a session or role assumed, IMO not sure why you’d want anything longer if you’re already using a tool like aws-vault. from exec: from login: |
|
from $ aws-vault login --help
usage: aws-vault login [<flags>] <profile>
Generate a login link for the AWS Console
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--version Show application version.
--debug Show debugging output
--backend=BACKEND Secret backend to use [keychain pass file]
--prompt=terminal Prompt driver to use [terminal osascript zenity]
--keychain="aws-vault" Name of macOS keychain to use, if it doesn't exist it will be created
--pass-dir=PASS-DIR Pass password store directory
--pass-cmd=PASS-CMD Name of the pass executable
--pass-prefix=PASS-PREFIX Prefix to prepend to the item path stored in pass
-n, --no-session Use root credentials, no session created
-t, --mfa-token=MFA-TOKEN The mfa token to use
--path=PATH The AWS service you would like access
-f, --federation-token-ttl=12h
Expiration time for aws console session
--assume-role-ttl=15m Expiration time for aws assumed role
-s, --stdout Print login URL to stdout instead of opening in default browser
Args:
<profile> Name of the profileso i pass |
|
@FernandoMiguel can you try the assume role ttl flag? We’ll look into the federated token arg but I do know that I was able to get extended sessions using assume-role-ttl |
|
@rossmckelvie i use assume role too, as posted above |
|
@FernandoMiguel I ran |
|
@jstewmon mine seem to be expiring much sooner than that. |
|
@FernandoMiguel the issue is that the maximum duration for AssumeRole is 1h when the request is made with a Session Token. With #383 you can put the mfa_serial back on the role profile and use It would be nice if you could use |
|
@jstewmon so the issue is having the session login to the source profile and then assume a dependant role, making the session limited by the mfa token, instead of a federation link of the destination role? |
per profile by adding
mfa_serial = <arn>to the root source profileresolves #329
resolved #310