Doesn't prompt for MFA

[gavinheavyside]

We have several accounts, which we access by assuming roles from a common 'login' account requiring MFA. ecs-cli doesn't prompt for MFA.

# .aws/config

[profile account2]
role_arn = arn:aws:iam::<account2_id>:role/account2role
mfa_serial = arn:aws:iam::<account1_id>:mfa/user.name
source_profile = account1
output = json

# .aws/credentials

[account1]
aws_access_key_id = access_key_account1
aws_secret_access_key = secret_key_account1

The regular AWS CLI prompts for MFA:

> AWS_PROFILE=account2 aws s3 ls
Enter MFA code:

The ecs-cli doesn't prompt, and returns an error:

> AWS_PROFILE=account2 ecs-cli ps
ERRO[0000] Error executing 'ps AccessDenied: User: arn:aws:iam::<account1_id>:user/path/to/user.name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account2_id>:role/account2role with an explicit deny
	status code: 403, request id: <UUID>

[PettitWesley]

@gavinheavyside, thank you for reaching out. I have been able to use the ECS CLI with MFA using the method described in the AWS Knowledge Center: How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?

The method that you are using to authenticate with MFA does not work for the ECS CLI at this time. Is there a reason why you specifically need to use this method?

[PettitWesley]

Closing this issue due to lack of response; please feel free to re-open.

[bastianb]

I have a case where is it needed:

we have one production account and 2 accounts peered: testenv and dirty.
we use our production account to login, and with sts and cross-account role we are able to switch roles to get into the different accounts.

I have set a testenv profile with my production set of keys and the sts-assume role, which in this case require MFA for security reasons. (using aws-cli not problem, MFA prompt appears and its all fine)

But when I use ecs-cli to deploy something to the testenv account using sts it just fails because it does not ask for the MFA token.

You will understand that using extra tools such as getting temp secret keys and doing some I don't know what kind of magic to let ecs-cli know the temp keys or even create a new set of key on the testenv account is not acceptable.

[PettitWesley]

@bastianb, I've re-opened this issue and labelled it as a feature request.

In the mean time, and for others sake, it is possible to use MFA with the ECS CLI and assume a role for a different account. @gavinheavyside @bastianb, the follow approach should meet your use case- though we fully understand that is is not as convenient as the method that the AWS CLI allows.

How To Use MFA with the ECS CLI to assume a role for another AWS Account:

I have 2 AWS accounts, let's call one the prod account, and one is my dev account. I followed this tutorial to give my dev account limited privileges for the prod account. I also then enabled MFA in the IAM user that I use in my dev account by following this tutorial. Once everything was set up, I did the following to allow myself to make changes to the prod account using the IAM User I have in my dev account:

1. Get Temporary Keys Using MFA

aws --profile wesley-dev sts get-session-token --serial-number <ARN for my MFA Serial>  --token-code <MFA Code>

This returns a set of temporary credentials which can be set as environment variables or in an AWS profile as explained here. In my case, I stored it as an AWS profile named temp-access.

2. Use Temporary Keys to Assume the Role with Access to the prod account

aws --profile temp-access sts assume-role --role-arn arn:aws:iam::11111111111:role/AccessProdResources--role-session-name dev

This will again return a set of temporary keys (see the tutorial link for examples). I then stored these credentials in another AWS profile named assumed-role. However, they could also be stored in environment variables.

3. Use the ECS CLI with the Assumed Role

I then ran ecs-cli configure and specified my AWS Profile assumed-role. Environment variables could also be used of course, since the ECS CLI will look for credentials there first.

4. Automate These Steps

I didn't do this, but all of these steps could be automated in a script. I understand that this method is inconvenient non-ideal; however, I am documenting it for the benefit of users who want to use the ECS CLI and need to use MFA to assume a role for a different account. This method can be used until we implement the method of using MFA to assume a role requested in this issue. The steps to implement that would involve writing code that performs the same API calls as the AWS CLI commands that I listed. As a reminder, we always welcome customer contributions to the ECS CLI! If anyone has an interest in implementing this immediately- that would be lovely :)

[et304383]

While we always have the work-around to assume temporary credentials and export, I feel this isn't the most useful for day to day. It's also dangerous if switching between accounts as one may forget the current account/profile being used and run commands against the wrong infrastructure.