Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for MFA #566

Open
ncalteen opened this issue Mar 4, 2019 · 1 comment · May be fixed by #613
Open

Support for MFA #566

ncalteen opened this issue Mar 4, 2019 · 1 comment · May be fixed by #613
Assignees
@dheerajd-msys
Labels
Type: Enhancement Adds new functionality.

Comments

@ncalteen
Copy link

ncalteen commented Mar 4, 2019

Version:

0.9.16

Environment:

OS: macOS 10.14
Ruby: 2.3.0p0
ChefDK: 3.8.14

Scenario:

Due to compliance/regulatory requirements, some organizations enforce the requirement that programmatic access to AWS APIs use Multi-Factor Authentication (MFA). With the AWS Command Line Interface (AWS CLI), users are automatically prompted to provide their MFA token when making API calls. New session credentials are generated by AWS Security Token Service (AWS STS) and cached locally. The user is then prompted again when the credentials have expired. Currently, knife-ec2 does not "bubble up" this token request, instead failing with the following (having specified knife[:aws_config_file] and knife[:aws_profile] in knife.rb).

$ knife ec2 server create -r 'role[testrole]' -I ami-0080e4c5bc078760e -f t2.micro --ssh-key my_key
ERROR: You did not provide a valid 'AWS Access Key Id' value.
ERROR: You did not provide a valid 'AWS Secret Access Key' value.

Steps to Reproduce:

  1. Create a new AWS Identity and Access Management (AWS IAM) user.
  2. Configure MFA for the user.
  3. Create a role that can be assumed by said user.
  4. Add this user as a new profile in ~/.aws/config.
  5. Add a second profile for the role to be assumed, using the user profile as source_profile.
  6. Update knife.rb to include knife[:aws_config_file] and knife[:aws_profile].
  7. Specify the role profile as knife[:aws_profile] (not the user profile).
  8. Attempt to run a command such as knife ec2 create.

The AWS credentials configuration file should information similar to the following:

[profile mfauser]
region=us-east-1
aws_access_key_id=AKIAEXAMPLE1234
aws_secret_access_key=EXAMPLESECRETKEY12345
output=json

[profile adminrole]
source_profile=mfauser
role_arn=arn:aws:iam::123456789012:role/adminrole
output=json
mfa_serial=arn:aws:iam::123456789012:mfa/mfauser

Expected Result:

On the final step, the user should be prompted for their MFA token. This is in line with the result of running a similar AWS CLI command.

$ aws ec2 describe-instances --profile roleprofile
Enter MFA code for arn:aws:iam::123456789012:mfa/mfauser:

Actual Result:

See below output:

$ knife ec2 server create -r 'role[testrole]' -I ami-0080e4c5bc078760e -f t2.micro --ssh-key my_key
ERROR: You did not provide a valid 'AWS Access Key Id' value.
ERROR: You did not provide a valid 'AWS Secret Access Key' value.
@ncalteen
Copy link
Author

ncalteen commented Mar 4, 2019

Current workaround:

  1. Create new session credentials by running aws sts get-session-token.

    aws sts get-session-token \
--serial-number MFA_DEVICE_ARN \
--token-code MFA_DEVICE_TOKEN \
--profile mfauser

  2. Update knife.rb. Use the output values from the above command.

    • Remove knife[:aws_config_file] and knife[:aws_profile].
    • Add knife[:aws_access_key_id], knife[:aws_secret_access_key], and knife[:aws_session_token].

  3. Any time credentials expire, repeat above steps.

@tas50 tas50 added the Type: Enhancement Adds new functionality. label Aug 26, 2019
@dheerajd-msys dheerajd-msys self-assigned this Oct 17, 2019
@dheerajd-msys dheerajd-msys linked a pull request Oct 29, 2019 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dheerajd-msys dheerajd-msys

Labels
Type: Enhancement Adds new functionality.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[WIP]Add support for mfa enabled IAM user MsysTechnologiesllc/knife-ec2
3 participants
@tas50 @ncalteen @dheerajd-msys