-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to deal with MFA in our auto deployment CI workflow? #713
Comments
Btw, this is the error I am getting when I tried locally (which resemble what the deployer is experiencing and linked above):
|
So am I correct that our next action here is to understand from @jhamman (and extrapolate this learning to other hubs) that it's not a problem if we do not have MFA on |
I was able to reproduce this behavior and determine the |
OK that's good news :-) I think it would be a lot more challenging if communities wanted to force MFA for CI/CD haha |
Indeed, great news! I have tested it on my side as well and can access (again) the cluster using the awscli. |
Btw, it seems others found the same issue: https://stackoverflow.com/questions/28177505/enforce-mfa-for-aws-console-login-but-not-for-api-calls |
Btw, checked manual deployment, and it works as expected:
|
And the automatic deployment worked again as expected: https://github.com/2i2c-org/pilot-hubs/runs/3738348334?check_suite_focus=true |
Do we want to keep this one open for the bigger discussion or just close it? |
wahoo! @damianavila the main thing I can think of here is to have a short documentation about this somewhere. Maybe in the |
Planning to add some stuff in the existing docs PR 😉 : #717 |
We deal with this for SMCE now, and have a documented process! |
Description
Recently, I introduced automatic deployment of hubs in our AWS clusters, #647.
Particularly, some specific work was performed for the Carbonplan cluster (based on AWS EKS instead of kops), #632.
The auto-deployment work as intended for a few days, ie: https://github.com/2i2c-org/pilot-hubs/runs/3533569179?check_suite_focus=true, but it recently failed with an
AccessDenied
failure, https://github.com/2i2c-org/pilot-hubs/runs/3692933197?check_suite_focus=true.@jhamman has communicated to us in private messages about 2FA being enabled since last Tuesday, IIRC.
I was expecting 2FA to access the AWS console, as Joe said, but it seems that is extended to the awscli as well because I can not get the resources as usual and the deployer can not deploy as expected.
I have pinged Joe and he confirmed he wanted to enable 2FA for the AWS console, but not the awscli, so there might be some misconfiguration that needs to be addressed.
If Joe really wants to also have 2FA through the awscli, then we have a bigger problem since MFA and CI automation does not usually play well together... (actually, they do not play at all, IMHO).
Value / benefit
Currently, we can not automatically deploy to the Carbonplan hubs.
In fact, we can not even access manually to them through the awscli without 2FA.
Figuring out this issue will allow us to get back to the previous state where auto-deployment by the CI was working as intended.
Implementation details
No response
Tasks to complete
Updates
No response
The text was updated successfully, but these errors were encountered: