Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not authorized to perform sts:AssumeRole when MFA times out #488

Open
joshghent opened this issue Oct 25, 2023 · 3 comments
Open

Not authorized to perform sts:AssumeRole when MFA times out #488

joshghent opened this issue Oct 25, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@joshghent
Copy link

joshghent commented Oct 25, 2023
edited
Loading

Describe the bug
When you have a role that requires MFA, that is assumed from another account, when the MFA session expires Leapp can no longer connect and gives the following error:

User: <PARENT ACCOUNT USER> is not authorized to perform sts:AssumeRole on resource <ASSUME ROLE>

Leapp Version
0.18.1

To Reproduce
Steps to reproduce the behavior:

  1. Create two AWS accounts - I'll call them parent and child
  2. Add MFA to your root account
  3. Create a role in your child account with the following policy (below)
  4. Setup accounts in Leapp.
  5. Assume into the child account via Leapp
  6. You should be prompted for MFA
  7. Wait for 2 hours
  8. Try to reconnect to the child account via Leapp
  9. See the error above.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

Expected behavior
I should be allowed to reconnect to the assume role as I have permission.
I believe this is an issue with the session not being correctly cleared or reprompting for MFA.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: [e.g. iOS] MacOS Ventura
  • OS Version [e.g. 22] 13.6
  • Leapp Version [e.g. 0.2.5] 0.18.1

Additional context
Thanks for the great software! I recommend it all the time :) ✌️
@joshghent joshghent added the bug Something isn't working label Oct 25, 2023
@andreacavagna01
Copy link
Contributor

Thanks for reporting the issue Josh!

I think it's a problem related to the caching of the MFA session.

Have you tried to update the App to the last version?

@joshghent
Copy link
Author

@andreacavagna01 yes, just tested with the latest version and it's still an issue. Version 0.23.0

@andreacavagna01
Copy link
Contributor

Thanks for testing! The problem is clear; surely is a bug in the caching system, thanks for the enhancement

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshghent @andreacavagna01