-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Doesn't prompt for MFA #284
Comments
@gavinheavyside, thank you for reaching out. I have been able to use the ECS CLI with MFA using the method described in the AWS Knowledge Center: How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI? The method that you are using to authenticate with MFA does not work for the ECS CLI at this time. Is there a reason why you specifically need to use this method? |
Closing this issue due to lack of response; please feel free to re-open. |
I have a case where is it needed: we have one production account and 2 accounts peered: testenv and dirty. I have set a testenv profile with my production set of keys and the sts-assume role, which in this case require MFA for security reasons. (using aws-cli not problem, MFA prompt appears and its all fine) But when I use ecs-cli to deploy something to the testenv account using sts it just fails because it does not ask for the MFA token. You will understand that using extra tools such as getting temp secret keys and doing some I don't know what kind of magic to let ecs-cli know the temp keys or even create a new set of key on the testenv account is not acceptable. |
@bastianb, I've re-opened this issue and labelled it as a feature request. In the mean time, and for others sake, it is possible to use MFA with the ECS CLI and assume a role for a different account. @gavinheavyside @bastianb, the follow approach should meet your use case- though we fully understand that is is not as convenient as the method that the AWS CLI allows. How To Use MFA with the ECS CLI to assume a role for another AWS Account:I have 2 AWS accounts, let's call one the prod account, and one is my dev account. I followed this tutorial to give my dev account limited privileges for the prod account. I also then enabled MFA in the IAM user that I use in my dev account by following this tutorial. Once everything was set up, I did the following to allow myself to make changes to the prod account using the IAM User I have in my dev account:
This returns a set of temporary credentials which can be set as environment variables or in an AWS profile as explained here. In my case, I stored it as an AWS profile named
This will again return a set of temporary keys (see the tutorial link for examples). I then stored these credentials in another AWS profile named
I then ran
I didn't do this, but all of these steps could be automated in a script. I understand that this method is inconvenient non-ideal; however, I am documenting it for the benefit of users who want to use the ECS CLI and need to use MFA to assume a role for a different account. This method can be used until we implement the method of using MFA to assume a role requested in this issue. The steps to implement that would involve writing code that performs the same API calls as the AWS CLI commands that I listed. As a reminder, we always welcome customer contributions to the ECS CLI! If anyone has an interest in implementing this immediately- that would be lovely :) |
While we always have the work-around to assume temporary credentials and export, I feel this isn't the most useful for day to day. It's also dangerous if switching between accounts as one may forget the current account/profile being used and run commands against the wrong infrastructure. |
@et304383, I completely agree and understand your point; I just wanted to document the work around as a reference. However: @et304383 @gavinheavyside @bastianb, I want to apologize, because it turns out we have an example in our code already for using an assumed role. Its here ecs-cli/modules/config/aws_credentials_example.ini.
You'd put this in profile Edit: There's a test case for assumed role in config_test.go |
@PettitWesley hello and thanks, but the issue is not to be able to use assumeRoles, but to be prompted for MFA token when a profile has MFA Activated. |
hello all those who are currently having trouble with MFA, I made a Python program that will handle among other things, setting up a MFA for CLI development with aws-cli and ecs-cli. https://github.com/djstein/aws-ac
Then to use the MFA session with
Hope this helps some woes. |
https://github.com/vancluever/aws-runas is a much better solution to setting temp creds as it prompts for the mfa automatically as needed. |
AWS CLI does support Role with mfa now. |
ECS CLI still doesn't prompt for MFA? Getting an error |
Steps 1+2 can be merged into one by:
Then AccessKeyId, SecretAccessKey & SessionToken from the output can be used to configure the cli by doing: Here's the full script: https://github.com/dimisjim/bash-scripts/blob/master/AWS/ecs-cli-auth.sh Any idea when this can be integrated natively? |
Am using a Python script, which I adapted from this example. However, I did find out some experts opinion that ECS CLI this tool would not yet be fit for production usage, so went down to the more low-level AWS CLI path and ditched Docker Compose approach for production deployment. |
For anyone who tries this and finds that it still doesn't work then check the order of resolution for credentials. It works really weird or is possibly bugged. If I specify |
How is this not solved yet? This flow is now common place for most businesses using AWS as a primary IT solution. I appreciate the landscape has moved on abit since this tool came into being however the docker-compose to ECS is still a ideal use case. Is there anything that can be taken from other projects like CDK and their handling through prompts where MFA is enabled ? |
One great option is to use a third party session management tool Awsume (https://awsu.me/). Then you can do: Awsume will then write the temporary credentials to ~/.aws/credentials (or respective place) and ECS CLI will find them from there. Please see Awsume documentation for further information. |
We have several accounts, which we access by assuming roles from a common 'login' account requiring MFA. ecs-cli doesn't prompt for MFA.
The regular AWS CLI prompts for MFA:
The ecs-cli doesn't prompt, and returns an error:
The text was updated successfully, but these errors were encountered: