AssumeRole profile not prompting for MFA when source profile uses credential_process #3038

MrGossett · 2017-12-13T03:34:24Z

$ aws --version
aws-cli/1.14.9 Python/3.6.3 Darwin/17.3.0 botocore/1.8.13

I have a profile using the credential_process config value to fetch credentials from the macOS keychain. The config for this profile is:

# ~/.aws/config
[profile user]
region = us-east-1
credential_process = aws keychain user

The keychain alias is defined as follows:

# ~/.aws/cli/alias

keychain =
  !f() {
    ACCESS_KEY=$(security find-generic-password -s "aws $1 access" -w login.keychain)
    SECRET_KEY=$(security find-generic-password -s "aws $1 secret" -w login.keychain)
    echo \{\"AccessKeyId\":\""$ACCESS_KEY"\",\"SecretAccessKey\":\""$SECRET_KEY"\",\"Version\":1}
  }; f

I took this directly from the awesome presentation from re:Invent 2017 by @kyleknap . Thanks Kyle :)

This part of my config is working perfectly.

$ aws configure list --profile user
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                     user           manual    --profile
access_key     ****************XXXX   custom-process
secret_key     ****************XXXX   custom-process
    region                us-east-1              env    AWS_DEFAULT_REGION

$ aws sts get-caller-identity --profile user
{
    "UserId": "AIDAXXXXXXXXXXXXXXXXX",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/mrgossett"
}

I have an AssumeRole profile configured with a role_arn and a mfa_serial, and using the first profile as its source:

[profile role]
region = us-east-1
role_arn = arn:aws:iam::210987654321:role/SomeRole
mfa_serial = arn:aws:iam::123456789012:mfa/mrgossett
source_profile = user

Using this AssumeRole profile, the CLI is not prompting me for an MFA code, and appears to fail before calling STS AssumeRole.

$ aws sts get-caller-identity --profile role --debug
2017-12-12 22:14:38,341 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.14.9 Python/3.6.3 Darwin/17.3.0 botocore/1.8.13
2017-12-12 22:14:38,342 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['sts', 'get-caller-identity', '--profile', 'role', '--debug']
2017-12-12 22:14:38,342 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x1080cd268>
2017-12-12 22:14:38,342 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,342 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x107bc1d90>
2017-12-12 22:14:38,342 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,343 - MainThread - botocore.session - DEBUG - Loading variable credentials_file from defaults.
2017-12-12 22:14:38,343 - MainThread - botocore.session - DEBUG - Loading variable config_file from defaults.
2017-12-12 22:14:38,343 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,343 - MainThread - botocore.session - DEBUG - Loading variable metadata_service_timeout from defaults.
2017-12-12 22:14:38,343 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,343 - MainThread - botocore.session - DEBUG - Loading variable metadata_service_num_attempts from defaults.
2017-12-12 22:14:38,345 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,345 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2017-12-12 22:14:38,345 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x107e71840>
2017-12-12 22:14:38,345 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,345 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,345 - MainThread - botocore.session - DEBUG - Loading variable api_versions from defaults.
2017-12-12 22:14:38,346 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/data/sts/2011-06-15/service-2.json
2017-12-12 22:14:38,347 - MainThread - botocore.hooks - DEBUG - Event service-data-loaded.sts: calling handler <function register_retries_for_service at 0x1077649d8>
2017-12-12 22:14:38,347 - MainThread - botocore.handlers - DEBUG - Registering retry handlers for service: sts
2017-12-12 22:14:38,348 - MainThread - botocore.hooks - DEBUG - Event building-command-table.sts: calling handler <function add_waiters at 0x1080d5488>
2017-12-12 22:14:38,356 - MainThread - awscli.clidriver - DEBUG - OrderedDict()
2017-12-12 22:14:38,356 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function add_streaming_output_arg at 0x1080cd510>
2017-12-12 22:14:38,356 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function add_cli_input_json at 0x107bcc598>
2017-12-12 22:14:38,356 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function unify_paging_params at 0x108044ea0>
2017-12-12 22:14:38,364 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/data/sts/2011-06-15/paginators-1.json
2017-12-12 22:14:38,364 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.sts.get-caller-identity: calling handler <function add_generate_skeleton at 0x1080317b8>
2017-12-12 22:14:38,364 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.sts.get-caller-identity: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x1081ca908>>
2017-12-12 22:14:38,364 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.sts.get-caller-identity: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x1081ca940>>
2017-12-12 22:14:38,365 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.sts.get-caller-identity.cli-input-json: calling handler <function uri_param at 0x107b539d8>
2017-12-12 22:14:38,365 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.sts.get-caller-identity.generate-cli-skeleton: calling handler <function uri_param at 0x107b539d8>
2017-12-12 22:14:38,365 - MainThread - botocore.hooks - DEBUG - Event calling-command.sts.get-caller-identity: calling handler <bound method CliInputJSONArgument.add_to_call_parameters of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x1081ca908>>
2017-12-12 22:14:38,365 - MainThread - botocore.hooks - DEBUG - Event calling-command.sts.get-caller-identity: calling handler <bound method GenerateCliSkeletonArgument.generate_json_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x1081ca940>>
2017-12-12 22:14:38,365 - MainThread - botocore.session - DEBUG - Loading variable region from environment with value 'us-east-1'.
2017-12-12 22:14:38,366 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,366 - MainThread - botocore.session - DEBUG - Loading variable ca_bundle from defaults.
2017-12-12 22:14:38,366 - MainThread - botocore.session - DEBUG - Loading variable profile from instance vars with value 'role'.
2017-12-12 22:14:38,366 - MainThread - botocore.session - DEBUG - Loading variable api_versions from defaults.
2017-12-12 22:14:38,366 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2017-12-12 22:14:38,366 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/awscli/clidriver.py", line 207, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/awscli/clidriver.py", line 347, in __call__
    return command_table[parsed_args.operation](remaining, parsed_globals)
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/awscli/clidriver.py", line 519, in __call__
    call_parameters, parsed_globals)
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/awscli/clidriver.py", line 637, in invoke
    verify=parsed_globals.verify_ssl)
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/session.py", line 850, in create_client
    credentials = self.get_credentials()
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/session.py", line 474, in get_credentials
    'credential_provider').load_credentials()
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/credentials.py", line 1594, in load_credentials
    creds = provider.load()
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/credentials.py", line 1163, in load
    return self._load_creds_via_assume_role(self._profile_name)
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/credentials.py", line 1172, in _load_creds_via_assume_role
    role_config, profile_name
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/credentials.py", line 1313, in _resolve_source_credentials
    return self._resolve_credentials_from_profile(source_profile)
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/credentials.py", line 1322, in _resolve_credentials_from_profile
    return self._load_creds_via_assume_role(profile_name)
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/credentials.py", line 1170, in _load_creds_via_assume_role
    role_config = self._get_role_config(profile_name)
  File "/usr/local/Cellar/awscli/1.14.9/libexec/lib/python3.6/site-packages/botocore/credentials.py", line 1215, in _get_role_config
    role_arn = profile['role_arn']
KeyError: 'role_arn'
2017-12-12 22:14:38,369 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

'role_arn'

However, if I remove the keychain alias and instead write the credentials to ~/.aws/credentials, it starts working again.

$ aws configure --profile user
AWS Access Key ID [None]: [snip]
AWS Secret Access Key [None]: [snip]
Default region name [us-east-1]:
Default output format [None]:

$ aws configure list --profile user
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                     user           manual    --profile
access_key     ****************XXXX shared-credentials-file
secret_key     ****************XXXX shared-credentials-file
    region                us-east-1              env    AWS_DEFAULT_REGION

$ cat ~/.aws/config | head -n 3
[profile user]
region = us-east-1
# credential_process = aws keychain mlt

$ aws sts get-caller-identity --profile role
Enter MFA code for arn:aws:iam::123456789012:mfa/mrgossett:
{
    "UserId": "AROAXXXXXXXXXXXXXXXXX:botocore-session-1513135483",
    "Account": "210987654321",
    "Arn": "arn:aws:sts::210987654321:assumed-role/SomeRole/botocore-session-1513135483"
}

I've looked through issues here in GitHub following the release of v1.12.0 on November 22 when the credential_process feature was introduced, and I can't find anything similar. I think I may have hit some edge case with the combo of credential_process on a source profile and mfa_serial on an AssumeRole profile...?

The text was updated successfully, but these errors were encountered:

joguSD · 2017-12-18T21:28:15Z

Unfortunately this isn't possible at the moment.
Currently, the source_profile needs to point to a profile that is either another assume role or static credentials. There's an upstream feature request for this in botocore: boto/botocore#1329

Closing in favor of that issue.

* sam pipeline bootstrap (aws#2811) * two-stages-pipeline plugin * typos * add docstring * make mypy happy * removing swap file * delete the two_stages_pipeline plugin as the pipeline-bootstrap command took over its responsibility * remove 'get_template_function_runtimes' function as the decision is made to not process the SAM template during pipeline init which was the only place we use the function * sam pipeline bootstrap command * move the pipelineconfig.toml file to .aws-sam * UX - rewriting Co-authored-by: Chris Rehn <[email protected]> * UX improvements * make black happy * apply review comments * UX - rewriting Co-authored-by: Chris Rehn <[email protected]> * refactor * Apply review comments * use python way of array elements assignments * Update samcli/lib/pipeline/bootstrap/stage.py Co-authored-by: _sam <[email protected]> * apply review comments * typo * read using utf-8 * create and user a safe version of the save_config method * apply review comments * rename _get_command_name to _get_command_names * don't save generated ARNs for now, will save during init * Revert "don't save generated ARNs for now, will save during init" This reverts commit d184e164022d9560131c62a826436edbc93da189. * Notify the user to rotate periodically rotate the IAM credentials * typo * Use AES instead of KMS for S3 SSE * rename Ecr to ECR and Iam to IAM * Grant lambda service explicit permissions to thhe ECR instead of relying on giving this permissions on ad-hoc while creating the container images Co-authored-by: Chris Rehn <[email protected]> Co-authored-by: _sam <[email protected]> * sam pipeline init command (aws#2831) * sam pipeline init command * apply review comments * apply review comments * display a message that we have successfully created the pipeline configuration file(s). * doc typo * Let 'sam pipeline init' prefills pipeline's infrastructure resources… (aws#2894) * Let 'sam pipeline init' prefills pipeline's infrastructure resources' values from 'sam pipeline bootstrap' results. * save bootstrapped sateg region * make black happy * exclude non-dict keys from samconfig.get_env_names method. * Rename the pipeline 'Stage' concept to 'Environment' (aws#2908) * Rename the pipeline 'Stage' concept to 'Environment' * typo * Rename --environment-name argument to --environment * Sam pipelines ux rename ecr repo to image repository (aws#2910) * Rename ecr-repo to image-repository * UT Fixes * typo * typo * feat: Support creating pipeline files directly into . without hooks (aws#2911) * feat: Support creating pipeline files directly into . without hooks * Integration test for pipeline init and pipeline bootstrap (aws#2841) * Expose Environment._get_stack_name for integ test to predict stack name * Add integ test for pipeline bootstrap * Add init integ test * small UX improvements: (aws#2914) * small UX improvements: 1. show a message when the user cancels a bootstrapping command. 2. Don't prompt for CI/CD provider or provider templates if there is only one choice. 3. Make PipelineFileAlreadyExistsError a UserError. 4. use the Colored class instead of fg='color' when prompting a colored message. 5. Fix a bug where we were not allowing empty response for not required questions. * Fix Integration Test: We now don't ask the user to select a provider's pipeline template if there is only one * Add docs for PipelineFileAlreadyExistsError * make black happy * Sam pipelines s3 security (aws#2975) * Deny non https requests for the artifacts S3 bucket * enable bucket serverside logging * add integration tests for artifacts bucket SSL-only requests and access logging * typo * Ensure the ArtifactsLoggingBucket denies non ssl requests (aws#2976) * Sam pipelines ux round 3 (aws#2979) * rename customer facing message 'CI/CD provider' to 'CI/CD system' * add a note about what 'Environment Name' is during the pipeline bootstrap guided context * Apply suggestions from code review typo Co-authored-by: Chris Rehn <[email protected]> Co-authored-by: Chris Rehn <[email protected]> * let pipeline IAM user assume only IAM roles tagged with Role=pipeline-execution-role (aws#2982) * Adding AWS_ prefix to displayed out. (aws#2993) Co-authored-by: Tarun Mall <[email protected]> * Add region to pipeline bootstrap interactive flow (aws#2997) * Ask AWS region in bootstrap interactive flow * Read default region from boto session first * Fix a unit test * Inform write to pipelineconfig.toml at the end of bootstrap (aws#3002) * Print info about pipelineconfig.toml after resources are bootstrapped * Update samcli/commands/pipeline/bootstrap/cli.py Co-authored-by: Chris Rehn <[email protected]> Co-authored-by: Chris Rehn <[email protected]> * List detected env names in pipeline init when prompt to input the env name (aws#3000) * Allow question.question can be resolved using key path * Pass the list of env names message (environment_names_message) into pipeline init interactive flow context * Update samcli/commands/pipeline/init/interactive_init_flow.py Co-authored-by: Chris Rehn <[email protected]> * Fix unit test (trigger pr builds) * Fix integ test * Fix integ test Co-authored-by: Chris Rehn <[email protected]> * Adding account id to bootstrap message. (aws#2998) * Adding account id to bootstrap message. * adding docstring * Addressing PR comments. * Adding unit tests. * Fixing unit tests. Co-authored-by: Tarun Mall <[email protected]> * Cfn creds fix (aws#3014) * Removing pipeline user creds from cfn output. This maintains same user exp. Co-authored-by: Tarun Mall <[email protected]> * Ux bootstrap revamp 20210706 (aws#3021) * Add intro paragraph to bootstrap * Add switch account prompt * Revamp stage definition prompt * Revamp existing resources prompt * Revamp security prompt * Allow answers to be changed later * Add exit message for bootstrap * Add exit message for bootstrap (1) * Add indentation to review values * Add "Below is the summary of the answers:" * Sweep pylint errors * Update unit tests * Update samcli/commands/pipeline/bootstrap/guided_context.py Co-authored-by: Chris Rehn <[email protected]> * Update samcli/commands/pipeline/bootstrap/guided_context.py Co-authored-by: Chris Rehn <[email protected]> * Update samcli/commands/pipeline/bootstrap/guided_context.py Co-authored-by: Chris Rehn <[email protected]> * Update samcli/commands/pipeline/bootstrap/guided_context.py Co-authored-by: Chris Rehn <[email protected]> * Update samcli/commands/pipeline/bootstrap/guided_context.py Co-authored-by: Chris Rehn <[email protected]> * Update samcli/commands/pipeline/bootstrap/guided_context.py Co-authored-by: Chris Rehn <[email protected]> * Update samcli/commands/pipeline/bootstrap/guided_context.py Co-authored-by: Chris Rehn <[email protected]> * Update samcli/commands/pipeline/bootstrap/guided_context.py Co-authored-by: Chris Rehn <[email protected]> * Update samcli/commands/pipeline/bootstrap/cli.py Co-authored-by: Chris Rehn <[email protected]> * Update unit tests * Add bold to other literals Co-authored-by: Chris Rehn <[email protected]> * Adding account condition for CFN execution role. (aws#3027) Co-authored-by: Tarun Mall <[email protected]> * pipeline UX revamp 20210707 (aws#3031) * Allow running bootstrap inside pipeline init * Select account credential source within bootstrap * Add bootstrap decorations within pipeline init * Removing ip range option from bootstrap. (aws#3036) * Removing ip range option from bootstrap. * Fixing unit test from UX PR. Co-authored-by: Tarun Mall <[email protected]> * Fix toml file incorrect read/write in init --bootstrap (aws#3037) * Temporarily removing account fix. (aws#3038) Co-authored-by: Tarun Mall <[email protected]> * Rename environment to stage (aws#3040) * Improve account source selection (aws#3042) * Fixing various cosmetics UX issues with pipeline workflow. (aws#3046) * Fixing credential to credentials * Forcing text color to yellow. * Adding new line after stage diagram. * Adding extra line after checking bootstrap message. * Renaming config -> configuration * account source -> credential source * Removing old message. * Fixing indentation in list. * Fixing bunch of indentation. * fixing f string Co-authored-by: Tarun Mall <[email protected]> * Auto skip questions if stage detected (aws#3045) * Autofill question if default value is presented * Allow to use index to select stage names (aws#3051) * Updating message when bootstrap stages are missing. (aws#3058) * Updating message when bootstrap stages are missing. * Fixing indendation Co-authored-by: Tarun Mall <[email protected]> * Fixing bootstrap integ tests. (aws#3061) * Fixing bootstrap integ tests. * Cleaning up some integ tests. * Using environment variables when running integ test on CI. * Using expression instead of full loop. * Adding instruction to use default profile on local. Co-authored-by: Tarun Mall <[email protected]> * Fix bootstrap test region (#3064) * Fix bootstrap region in integ test * Fix regions in non-interactive mode as well * Add more pipeline init integ test (aws#3065) * Fix existing pipeline init integ test * Add more pipeline init integ tests * Config file bug (aws#3066) * Validating config file after bootstrap stack creation. * Validating config file after bootstrap. Co-authored-by: Tarun Mall <[email protected]> * Fix pipeline init integ test because of pipelineconfig file exists (aws#3067) * Make stage name randomized to avoid race condition among multi canary runs (aws#3078) * Load number of stages from pipeline template (aws#3059) * Load number of stages from templates * Rename variable and add debug log * Add encoding to open() * Allow roles with Tag aws-sam-pipeline-codebuild-service-role to assume PipelineExecutionRole (aws#2950) * pipeline init UX: Ask to confirm when file exists (aws#3079) * Ask to confirm overriding if files already exist, or save to another directory * Add doc links (aws#3087) * Adding accidentally removed tests back. (aws#3088) Co-authored-by: Tarun Mall <[email protected]> Co-authored-by: elbayaaa <[email protected]> Co-authored-by: Chris Rehn <[email protected]> Co-authored-by: Ahmed Elbayaa <[email protected]> Co-authored-by: Tarun <[email protected]> Co-authored-by: Tarun Mall <[email protected]>

joguSD closed this as completed Dec 18, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AssumeRole profile not prompting for MFA when source profile uses credential_process #3038

AssumeRole profile not prompting for MFA when source profile uses credential_process #3038

MrGossett commented Dec 13, 2017

joguSD commented Dec 18, 2017 •

edited

Loading

AssumeRole profile not prompting for MFA when source profile uses credential_process #3038

AssumeRole profile not prompting for MFA when source profile uses credential_process #3038

Comments

MrGossett commented Dec 13, 2017

joguSD commented Dec 18, 2017 • edited Loading

joguSD commented Dec 18, 2017 •

edited

Loading