Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correspond to AssumeRole and MFA #21

Merged
merged 4 commits into from
Aug 2, 2019
Merged

Correspond to AssumeRole and MFA #21

merged 4 commits into from
Aug 2, 2019

Conversation

goldeneggg
Copy link
Owner

@goldeneggg goldeneggg commented Jul 9, 2019
edited
Loading

Problem

lsec2 has not supported the AssumeRole and MFA.

Goal

Usage as follows. (See: Using an IAM Role in the AWS CLI - AWS Command Line Interface)

# set source profile and role profile into ~/.aws/config (use MFA)
[profile abc]
region=ap-northeast-1

[profile abc-role1]
region=ap-northeast-1
source_profile=abc
role_arn=arn:aws:iam::123456789012:role/HogeRole
mfa_serial=arn:aws:iam::987654321098:mfa/your.name

# set credential of source profile ~/.aws/credential
[abc]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

# Run lsec2 with `--profile ROLE_PROFILE_NAME` option
$ lsec2 --profile abc-role1 -H 
Assume Role MFA token code: [INPUT YOUR_MFA_TOKEN]

INSTANCE_ID     PRIVATE_IP      PUBLIC_IP       TYPE    STATE   TAGS
i-xxxxxxxxxx    172.456.789.000    UNDEFINED       t2.micro        stopped Name=sss
i-yyyyyyyyyy    172.456.789.000    10.11.12.13      t3.micro        running Name=ttt

Should we set AWS_SDK_LOAD_CONFIG env value?

No. We don't need to set AWS_SDK_LOAD_CONFIG env value.

What do I do NOT do in this PR?

I still don't support the MFA caching.

This feature had be discussed on aws/aws-sdk-go#1329, aws/aws-sdk-go#2375, kubernetes-sigs/aws-iam-authenticator#193 and others.

Workaround before merge this PR

  1. Generate session token (using AWS STS)
  2. Export envs with generated tokens
  3. Run lsec2
$ aws sts assume-role --role-arn arn:aws:iam::YOURROLEID:role/YOURROLE --role-session-name RoleSession1 --serial-number arn:aws:iam::YOURUSERID:mfa/YOURACCOUNT --token-code MFA_DIGITS --profile YOURPROFILE

{
    "Credentials": {
        "AccessKeyId": "TMP_KEYID",
        "SecretAccessKey": "TMP_ACCESSKEY",
        "SessionToken": "TMP_SESSIONTOKEN",
        "Expiration": "2019-07-09T09:13:29Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "ROLEID:hoge",
        "Arn": "arn:aws:sts::222222222222:assumed-role/ROLENAME/hoge"
    }
}

$ export AWS_ACCESS_KEY_ID=TMP_KEYID
$ export AWS_SECRET_ACCESS_KEY=TMP_ACCESSKEY
$ export AWS_SESSION_TOKEN=TMP_SESSIONTOKEN

# Check your settings
$ lsec2

@codecov
Copy link

codecov bot commented Jul 9, 2019
edited
Loading

Codecov Report

Merging #21 into master will increase coverage by 0.24%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master      #21      +/-   ##
==========================================
+ Coverage   87.67%   87.91%   +0.24%     
==========================================
  Files           3        3              
  Lines         146      149       +3     
==========================================
+ Hits          128      131       +3     
  Misses         11       11              
  Partials        7        7

@goldeneggg goldeneggg changed the title WIP: correspond to Multi-Factor-Authentication Correspond to Multi-Factor-Authentication Aug 2, 2019
@goldeneggg goldeneggg changed the title Correspond to Multi-Factor-Authentication Correspond to AssumeRole and MFA Aug 2, 2019
@goldeneggg goldeneggg merged commit a6d2e12 into master Aug 2, 2019
@goldeneggg goldeneggg deleted the mfa branch August 2, 2019 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@goldeneggg