Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: AWS MFA Support when Using Assume Role #9349

Closed
wants to merge 3 commits into from
Closed

WIP: AWS MFA Support when Using Assume Role #9349

wants to merge 3 commits into from

Conversation

rickard-von-essen
Copy link
Contributor

This adds initial support for using MFA when assuming a role by adding
mfa_serial and token_code to the assumeRole block in an AWS
provider.

provider "aws" {
  region  = "eu-west-1"
  access_key = "AKIALAAAABBBBCCCCDDD"
  secret_key = "<secret key>"
  assume_role {
    role_arn = "arn:aws:iam::ACCOUNT_ID:role/Admin"
    mfa_serial = "arn:aws:iam::ACCOUNT_ID:mfa/[email protected]"
    token_code = "${var.mfa}"
  }
}

@rickard-von-essen
Trimmed some trailing whitespaces
468cf64
@rickard-von-essen
AWS Support Assume Role with MFA
938f23b 
This adds initial support for using MFA when assuming a role by adding
`mfa_serial` and `token_code` to the `assumeRole` block in an AWS
provider.
@rickard-von-essen
Copy link
Contributor Author

rickard-von-essen commented Oct 13, 2016
edited
Loading

Since the provider gets reinitialized this is not very useful until adding a sts cache. Without that the first part of a run will go fine but when the AWS provider reinitialize the token_code is old and gets rejected.

I'll add that soon. Depends on aws/aws-sdk-go#842

@oli-g oli-g mentioned this pull request Jan 27, 2017
Closed
@jasdel
Copy link

jasdel commented Feb 18, 2017
edited
Loading

Hi @rickard-von-essen I've created PR aws/aws-sdk-go#1088 that adds support for MFA tokens with assume role via the shared config using a Session and via stscreds.AssumeRoleProvider directly.

It would be great if you could take a look at the PR and the functionality it adds. Any feedback would be very helpful. Thanks!

@jasdel jasdel mentioned this pull request Feb 22, 2017
Merged
jasdel added a commit to aws/aws-sdk-go that referenced this pull request Feb 22, 2017
@jasdel
aws/session: Add support for AssumeRoles with MFA (#1088)
9350193 
Adds support for assuming IAM roles with MFA enabled. A TokenProvider
func was added to`stscreds.AssumeRoleProvider` that will be called each
time the role's credentials need to be refreshed. A basic token provider
that sources the MFA token from stdin as `stscreds.StdinTokenProvider`.

This change also adds a new session option, `AssumeRoleTokenProvider`.
The value of this field will be passed to the `stscreds.AssumeRoleProvider`
if the shared configuration is enabled and the config (`~/.aws/config`) or 
credentials files (`~/.aws/credentials`) specify a role to assume
with MFA.

In order for the SDK to assume a role with MFA the `SharedConfigState`
session option must be set to `SharedConfigEnable`, or `AWS_SDK_LOAD_CONFIG`
environment variable set.

Creating an AssumeRoleProvider with MFA:
===

```go
// Initial credentials loaded from SDK's default credential chain. Such as
// the environment, shared credentials (~/.aws/credentials), or EC2 Instance
// Role. These credentials will be used to to make the STS Assume Role API.
sess := session.Must(session.NewSession())

// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN. Prompting for MFA token from stdin.
creds := stscreds.NewCredentials(sess, "myRoleARN", func(p *stscreds.AssumeRoleProvider) {
    p.SerialNumber = aws.String("myTokenSerialNumberOrARN")
    p.TokenProvider = stscreds.StdinTokenProvider
})

// Create service client value configured for credentials
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})
```

Creating a Session with shared config enabled to assume a role with MFA:
===

```go
sess := session.Must(session.NewSessionWithOptions(session.Options{
    AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
    SharedConfigState:       session.SharedConfigEnable,
}))

// Create service client value configured for credentials
// from assumed role.
svc := s3.New(sess)
```

Fix #842
Related To hashicorp/terraform#9349
@rickard-von-essen
Copy link
Contributor Author

@jasdel Great! I'll give it a go soon. I just started to implement it in Packer.

@kushmansingh kushmansingh mentioned this pull request May 4, 2017
Closed
@apparentlymart
Copy link
Contributor

Hello @rickard-von-essen, and thanks for working on this!

As part of the the Terraform 0.10 release earlier this year, all of the Terraform providers were moved to their own repositories in the terraform-providers GitHub organization, and removed from the Terraform Core repository.

Unfortunately due to the fact that new issues and pull requests are being opened constantly, it was not possible for the various provider maintainers to merge all outstanding pull requests before this split, and there is no automatic way to migrate a pull request to a new repository.

As a result, this pull request can sadly no longer be applied as-is, and so I'm going to close it.

If you or someone else has the time and motivation to apply same changes to the aws provider repository and open a new PR there, the maintainers of that provider should be able to review and merge it.

Thanks again for working on this, and sorry it was not able to be merged before the provider repository changes.

@ghost
Copy link

ghost commented Apr 6, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement provider/aws
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rickard-von-essen @jasdel @apparentlymart