SDK doesn't work with roles requiring MFA

[vhartikainen]

Used SDK version: 2.60.0
Node.js version: v6.9.5

We have a role like one below defined in our account. We're working on to get MFA in use with both aws cli and with the node.js SDK.

  AccountAdministratorRole:
     Type: "AWS::IAM::Role"
     Properties:
       ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
         Statement:
           -
             Effect: "Allow"
             Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
             Action:
               - "sts:AssumeRole"
             Condition:
              Bool:
                aws:MultiFactorAuthPresent: true
       Path: "/"

And the ~/.aws/config:

[profile account]
region = eu-central-1
[profile account-admin]
role_arn = arn:aws:iam::<accountnumber>:role/AccountAdministratorRole
region = eu-central-1
source_profile = account
mfa_serial = arn:aws:iam::<accountnumber>:mfa/ville.hartikainen

When using aws-cli, it prompts properly for the MFA code and caches the temporary credentials under ~/.aws/cli/cache/. The node.js SDK is not sharing this functionality at all and seems like the support for MFA is completely missing.

This issue was discussed already in #993, and @andreineculau presented a potential (though ugly) workaround for it. The original issue was closed in #1391, but the problem presented with MFA tokens usage still remained. For the ease of readers, I will just quickly post the slightly edited version of it below, which seem to work with latest tagged version of SDK:

const AWS = require('aws-sdk');
const ini = require('ini');
const fs=require('fs');
fs.readFileSync(
      `${process.env.HOME}/.aws/config`,
      'utf-8'
    )
let awsProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
if (awsProfile) {
  try {
    let configIni = ini.parse(fs.readFileSync(
      `${process.env.HOME}/.aws/config`,
      'utf-8'
    ));
    let awsProfileConfig = configIni[`profile ${awsProfile}`];
    if (awsProfileConfig && awsProfileConfig.role_arn) {
      let roleArn = awsProfileConfig.role_arn.replace(/:/g, '_').replace(/[^A-Za-z0-9\-_]/g, '-');
      let awsCliCacheFilename = `${awsProfile}--${roleArn}`;
      let awsCliCache =
          JSON.parse(fs.readFileSync(
            `${process.env.HOME}/.aws/cli/cache/${awsCliCacheFilename}.json`,
            'utf-8'
          ));
      let sts = new AWS.STS();
      AWS.config.credentials = sts.credentialsFrom(awsCliCache,awsCliCache);
    }
  } catch (_err) {
    console.log(_err)
  }
}

The workaround is utilizing the temporary credentials cached by aws cli which seems like an adequeate option for us, but I'd be happy to see some support for the MFA built in the SDK itself

[fwhite-wsm]

This is also a problem for our team.

[andreineculau]

FWIW my snippet does NOT work with 1.14.10 (known working version is 1.11.190 - that's the version bump in homebrew which I currently use) because aws-cli decided to camouflage the filenames storing the temporary credentials in ~/.aws/cli/cache.
Tail culprit boto/botocore#1322 , followed by a bunch of previous commits.

An updated version of my hack is available at https://gist.github.com/andreineculau/a186c2181a3099a422abc293c8e79fef

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.