Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Doesn't prompt for MFA #284

Open
gavinheavyside opened this issue Jul 26, 2017 · 17 comments
Open

Doesn't prompt for MFA #284

gavinheavyside opened this issue Jul 26, 2017 · 17 comments
Assignees

Comments

@gavinheavyside
Copy link

gavinheavyside commented Jul 26, 2017

We have several accounts, which we access by assuming roles from a common 'login' account requiring MFA. ecs-cli doesn't prompt for MFA.

# .aws/config

[profile account2]
role_arn = arn:aws:iam::<account2_id>:role/account2role
mfa_serial = arn:aws:iam::<account1_id>:mfa/user.name
source_profile = account1
output = json
# .aws/credentials

[account1]
aws_access_key_id = access_key_account1
aws_secret_access_key = secret_key_account1

The regular AWS CLI prompts for MFA:

> AWS_PROFILE=account2 aws s3 ls
Enter MFA code:

The ecs-cli doesn't prompt, and returns an error:

> AWS_PROFILE=account2 ecs-cli ps
ERRO[0000] Error executing 'ps AccessDenied: User: arn:aws:iam::<account1_id>:user/path/to/user.name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account2_id>:role/account2role with an explicit deny
	status code: 403, request id: <UUID>
@PettitWesley
Copy link
Contributor

PettitWesley commented Jul 28, 2017

@gavinheavyside, thank you for reaching out. I have been able to use the ECS CLI with MFA using the method described in the AWS Knowledge Center: How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?

The method that you are using to authenticate with MFA does not work for the ECS CLI at this time. Is there a reason why you specifically need to use this method?

@PettitWesley
Copy link
Contributor

Closing this issue due to lack of response; please feel free to re-open.

@bastianb
Copy link

I have a case where is it needed:

we have one production account and 2 accounts peered: testenv and dirty.
we use our production account to login, and with sts and cross-account role we are able to switch roles to get into the different accounts.

I have set a testenv profile with my production set of keys and the sts-assume role, which in this case require MFA for security reasons. (using aws-cli not problem, MFA prompt appears and its all fine)

But when I use ecs-cli to deploy something to the testenv account using sts it just fails because it does not ask for the MFA token.

You will understand that using extra tools such as getting temp secret keys and doing some I don't know what kind of magic to let ecs-cli know the temp keys or even create a new set of key on the testenv account is not acceptable.

@PettitWesley
Copy link
Contributor

PettitWesley commented Oct 12, 2017

@bastianb, I've re-opened this issue and labelled it as a feature request.

In the mean time, and for others sake, it is possible to use MFA with the ECS CLI and assume a role for a different account. @gavinheavyside @bastianb, the follow approach should meet your use case- though we fully understand that is is not as convenient as the method that the AWS CLI allows.

How To Use MFA with the ECS CLI to assume a role for another AWS Account:

I have 2 AWS accounts, let's call one the prod account, and one is my dev account. I followed this tutorial to give my dev account limited privileges for the prod account. I also then enabled MFA in the IAM user that I use in my dev account by following this tutorial. Once everything was set up, I did the following to allow myself to make changes to the prod account using the IAM User I have in my dev account:

  1. Get Temporary Keys Using MFA
aws --profile wesley-dev sts get-session-token --serial-number <ARN for my MFA Serial>  --token-code <MFA Code>

This returns a set of temporary credentials which can be set as environment variables or in an AWS profile as explained here. In my case, I stored it as an AWS profile named temp-access.

  1. Use Temporary Keys to Assume the Role with Access to the prod account
aws --profile temp-access sts assume-role --role-arn arn:aws:iam::11111111111:role/AccessProdResources--role-session-name dev

This will again return a set of temporary keys (see the tutorial link for examples). I then stored these credentials in another AWS profile named assumed-role. However, they could also be stored in environment variables.

  1. Use the ECS CLI with the Assumed Role

I then ran ecs-cli configure and specified my AWS Profile assumed-role. Environment variables could also be used of course, since the ECS CLI will look for credentials there first.

  1. Automate These Steps

I didn't do this, but all of these steps could be automated in a script. I understand that this method is inconvenient non-ideal; however, I am documenting it for the benefit of users who want to use the ECS CLI and need to use MFA to assume a role for a different account. This method can be used until we implement the method of using MFA to assume a role requested in this issue. The steps to implement that would involve writing code that performs the same API calls as the AWS CLI commands that I listed. As a reminder, we always welcome customer contributions to the ECS CLI! If anyone has an interest in implementing this immediately- that would be lovely :)

@et304383
Copy link

While we always have the work-around to assume temporary credentials and export, I feel this isn't the most useful for day to day. It's also dangerous if switching between accounts as one may forget the current account/profile being used and run commands against the wrong infrastructure.

@PettitWesley
Copy link
Contributor

PettitWesley commented Oct 26, 2017

@et304383, I completely agree and understand your point; I just wanted to document the work around as a reference. However:

@et304383 @gavinheavyside @bastianb, I want to apologize, because it turns out we have an example in our code already for using an assumed role. Its here ecs-cli/modules/config/aws_credentials_example.ini.

[assumeRoleWithCreds]
role_arn = assumeRoleWithCredsRoleArn
source_profile = assumeRoleWithCreds
external_id = 1234
role_session_name = assumeRoleWithCredsSessionName
aws_access_key_id = assumeRoleWithCredsAKID
aws_secret_access_key = assumeRoleWithCredsSKID

You'd put this in profile ~/.aws/credentials. I haven't had time to try this out yet, but wanted to make you guys aware of it in case this helps. I'll update again if I find anything when I try it out- if anyone tries it out and finds that it does not work with MFA, then please post to help others :)

Edit: There's a test case for assumed role in config_test.go

@bastianb
Copy link

bastianb commented Oct 27, 2017

@PettitWesley hello and thanks, but the issue is not to be able to use assumeRoles, but to be prompted for MFA token when a profile has MFA Activated.

@djstein
Copy link

djstein commented Jan 18, 2018

hello all those who are currently having trouble with MFA, I made a Python program that will handle among other things, setting up a MFA for CLI development with aws-cli and ecs-cli.

https://github.com/djstein/aws-ac
Please use:

pip install aws-ac
aws-ac mfa <token>
aws-ac mfa <token> --serial <device> # If you do not know your serial it will prompt you & open the webpage to where you can retrieve it

Then to use the MFA session with aws or ecs-cli commands:

aws ... --profile mfa
ecs-cli ... --aws-profile mfa

Hope this helps some woes.
Expecting to have environment variable switching done over the weekend and I will be adding a new feature once #409 is merged.

@et304383
Copy link

https://github.com/vancluever/aws-runas is a much better solution to setting temp creds as it prompts for the mfa automatically as needed.

@PettitWesley
Copy link
Contributor

@djstein, @et304383, these tools look awesome. We really appreciate these efforts from the community to make AWS easier to use.

@djstein, I've put up a PR addressing #409 that adds support for aws_session_token in ECS Profiles.

@HengzhiShao
Copy link

AWS CLI does support Role with mfa now.
Check out: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html#cli-roles-mfa

@ux-engineer
Copy link

ux-engineer commented Apr 28, 2019

ECS CLI still doesn't prompt for MFA?

Getting an error FATA[0000] Error executing 'up': AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set. and am suspecting this...

@dimisjim
Copy link

dimisjim commented May 15, 2019

@PettitWesley

Steps 1+2 can be merged into one by:

aws sts assume-role \
    --role-arn arn:aws:sts::${accountToAssumeRole}:role/${role} \
    --serial-number arn:aws:iam::${baseAccountThatAssumesRole}:mfa/${username} \
    --token-code ${mfa} \
    --role-session-name ecs-cli \

Then AccessKeyId, SecretAccessKey & SessionToken from the output can be used to configure the cli by doing:
ecs-cli configure profile --profile-name ecs-cli --access-key $AccessKeyId --secret-key $SecretAccessKey --session-token $SessionToken as demoed in https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cmd-ecs-cli-configure-profile.html#cmd-ecs-cli-configure-profile-examples

Here's the full script: https://github.com/dimisjim/bash-scripts/blob/master/AWS/ecs-cli-auth.sh

Any idea when this can be integrated natively?

@ux-engineer
Copy link

Am using a Python script, which I adapted from this example.

However, I did find out some experts opinion that ECS CLI this tool would not yet be fit for production usage, so went down to the more low-level AWS CLI path and ditched Docker Compose approach for production deployment.

@steinybot
Copy link

steinybot commented Oct 21, 2020

For anyone who tries this and finds that it still doesn't work then check the order of resolution for credentials. It works really weird or is possibly bugged. If I specify --ecs-profile then it doesn't work if I also have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN set. Make sure to clear those (or set them to the credentials of your assumed role).

@dfoulkes
Copy link

How is this not solved yet? This flow is now common place for most businesses using AWS as a primary IT solution. I appreciate the landscape has moved on abit since this tool came into being however the docker-compose to ECS is still a ideal use case. Is there anything that can be taken from other projects like CDK and their handling through prompts where MFA is enabled ?

@mfonsen
Copy link

mfonsen commented May 3, 2021

One great option is to use a third party session management tool Awsume (https://awsu.me/).

Then you can do:
awsume <name of the profile requiring MFA/role switching> --output-profile <name of the temporary profile>
ecs-cli --aws-profile <name of the temporary profile>

Awsume will then write the temporary credentials to ~/.aws/credentials (or respective place) and ECS CLI will find them from there. Please see Awsume documentation for further information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests