Doesn't prompt for MFA

[gavinheavyside]

We have several accounts, which we access by assuming roles from a common 'login' account requiring MFA. ecs-cli doesn't prompt for MFA.

# .aws/config

[profile account2]
role_arn = arn:aws:iam::<account2_id>:role/account2role
mfa_serial = arn:aws:iam::<account1_id>:mfa/user.name
source_profile = account1
output = json

# .aws/credentials

[account1]
aws_access_key_id = access_key_account1
aws_secret_access_key = secret_key_account1

The regular AWS CLI prompts for MFA:

> AWS_PROFILE=account2 aws s3 ls
Enter MFA code:

The ecs-cli doesn't prompt, and returns an error:

> AWS_PROFILE=account2 ecs-cli ps
ERRO[0000] Error executing 'ps AccessDenied: User: arn:aws:iam::<account1_id>:user/path/to/user.name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account2_id>:role/account2role with an explicit deny
	status code: 403, request id: <UUID>

[PettitWesley]

@gavinheavyside, thank you for reaching out. I have been able to use the ECS CLI with MFA using the method described in the AWS Knowledge Center: How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?

The method that you are using to authenticate with MFA does not work for the ECS CLI at this time. Is there a reason why you specifically need to use this method?

[PettitWesley]

Closing this issue due to lack of response; please feel free to re-open.

[bastianb]

I have a case where is it needed:

we have one production account and 2 accounts peered: testenv and dirty.
we use our production account to login, and with sts and cross-account role we are able to switch roles to get into the different accounts.

I have set a testenv profile with my production set of keys and the sts-assume role, which in this case require MFA for security reasons. (using aws-cli not problem, MFA prompt appears and its all fine)

But when I use ecs-cli to deploy something to the testenv account using sts it just fails because it does not ask for the MFA token.

You will understand that using extra tools such as getting temp secret keys and doing some I don't know what kind of magic to let ecs-cli know the temp keys or even create a new set of key on the testenv account is not acceptable.

[PettitWesley]

@bastianb, I've re-opened this issue and labelled it as a feature request.

In the mean time, and for others sake, it is possible to use MFA with the ECS CLI and assume a role for a different account. @gavinheavyside @bastianb, the follow approach should meet your use case- though we fully understand that is is not as convenient as the method that the AWS CLI allows.

How To Use MFA with the ECS CLI to assume a role for another AWS Account:

I have 2 AWS accounts, let's call one the prod account, and one is my dev account. I followed this tutorial to give my dev account limited privileges for the prod account. I also then enabled MFA in the IAM user that I use in my dev account by following this tutorial. Once everything was set up, I did the following to allow myself to make changes to the prod account using the IAM User I have in my dev account:

1. Get Temporary Keys Using MFA

aws --profile wesley-dev sts get-session-token --serial-number <ARN for my MFA Serial>  --token-code <MFA Code>

This returns a set of temporary credentials which can be set as environment variables or in an AWS profile as explained here. In my case, I stored it as an AWS profile named temp-access.

2. Use Temporary Keys to Assume the Role with Access to the prod account

aws --profile temp-access sts assume-role --role-arn arn:aws:iam::11111111111:role/AccessProdResources--role-session-name dev

This will again return a set of temporary keys (see the tutorial link for examples). I then stored these credentials in another AWS profile named assumed-role. However, they could also be stored in environment variables.

3. Use the ECS CLI with the Assumed Role

I then ran ecs-cli configure and specified my AWS Profile assumed-role. Environment variables could also be used of course, since the ECS CLI will look for credentials there first.

4. Automate These Steps

I didn't do this, but all of these steps could be automated in a script. I understand that this method is inconvenient non-ideal; however, I am documenting it for the benefit of users who want to use the ECS CLI and need to use MFA to assume a role for a different account. This method can be used until we implement the method of using MFA to assume a role requested in this issue. The steps to implement that would involve writing code that performs the same API calls as the AWS CLI commands that I listed. As a reminder, we always welcome customer contributions to the ECS CLI! If anyone has an interest in implementing this immediately- that would be lovely :)

[et304383]

While we always have the work-around to assume temporary credentials and export, I feel this isn't the most useful for day to day. It's also dangerous if switching between accounts as one may forget the current account/profile being used and run commands against the wrong infrastructure.

[PettitWesley]

@et304383, I completely agree and understand your point; I just wanted to document the work around as a reference. However:

@et304383 @gavinheavyside @bastianb, I want to apologize, because it turns out we have an example in our code already for using an assumed role. Its here ecs-cli/modules/config/aws_credentials_example.ini.

[assumeRoleWithCreds]
role_arn = assumeRoleWithCredsRoleArn
source_profile = assumeRoleWithCreds
external_id = 1234
role_session_name = assumeRoleWithCredsSessionName
aws_access_key_id = assumeRoleWithCredsAKID
aws_secret_access_key = assumeRoleWithCredsSKID

You'd put this in profile ~/.aws/credentials. I haven't had time to try this out yet, but wanted to make you guys aware of it in case this helps. I'll update again if I find anything when I try it out- if anyone tries it out and finds that it does not work with MFA, then please post to help others :)

Edit: There's a test case for assumed role in config_test.go

[bastianb]

@PettitWesley hello and thanks, but the issue is not to be able to use assumeRoles, but to be prompted for MFA token when a profile has MFA Activated.

[djstein]

hello all those who are currently having trouble with MFA, I made a Python program that will handle among other things, setting up a MFA for CLI development with aws-cli and ecs-cli.

https://github.com/djstein/aws-ac
Please use:

pip install aws-ac
aws-ac mfa <token>
aws-ac mfa <token> --serial <device> # If you do not know your serial it will prompt you & open the webpage to where you can retrieve it

Then to use the MFA session with aws or ecs-cli commands:

aws ... --profile mfa
ecs-cli ... --aws-profile mfa

Hope this helps some woes.
Expecting to have environment variable switching done over the weekend and I will be adding a new feature once #409 is merged.

[et304383]

https://github.com/vancluever/aws-runas is a much better solution to setting temp creds as it prompts for the mfa automatically as needed.

[PettitWesley]

@djstein, @et304383, these tools look awesome. We really appreciate these efforts from the community to make AWS easier to use.

@djstein, I've put up a PR addressing #409 that adds support for aws_session_token in ECS Profiles.

[HengzhiShao]

AWS CLI does support Role with mfa now.
Check out: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html#cli-roles-mfa

[ux-engineer]

ECS CLI still doesn't prompt for MFA?

Getting an error FATA[0000] Error executing 'up': AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set. and am suspecting this...

[dimisjim]

@PettitWesley

Steps 1+2 can be merged into one by:

aws sts assume-role \
    --role-arn arn:aws:sts::${accountToAssumeRole}:role/${role} \
    --serial-number arn:aws:iam::${baseAccountThatAssumesRole}:mfa/${username} \
    --token-code ${mfa} \
    --role-session-name ecs-cli \

Then AccessKeyId, SecretAccessKey & SessionToken from the output can be used to configure the cli by doing:
ecs-cli configure profile --profile-name ecs-cli --access-key $AccessKeyId --secret-key $SecretAccessKey --session-token $SessionToken as demoed in https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cmd-ecs-cli-configure-profile.html#cmd-ecs-cli-configure-profile-examples

Here's the full script: https://github.com/dimisjim/bash-scripts/blob/master/AWS/ecs-cli-auth.sh

Any idea when this can be integrated natively?

[ux-engineer]

Am using a Python script, which I adapted from this example.

However, I did find out some experts opinion that ECS CLI this tool would not yet be fit for production usage, so went down to the more low-level AWS CLI path and ditched Docker Compose approach for production deployment.

[steinybot]

For anyone who tries this and finds that it still doesn't work then check the order of resolution for credentials. It works really weird or is possibly bugged. If I specify --ecs-profile then it doesn't work if I also have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN set. Make sure to clear those (or set them to the credentials of your assumed role).

[dfoulkes]

How is this not solved yet? This flow is now common place for most businesses using AWS as a primary IT solution. I appreciate the landscape has moved on abit since this tool came into being however the docker-compose to ECS is still a ideal use case. Is there anything that can be taken from other projects like CDK and their handling through prompts where MFA is enabled ?

[mfonsen]

One great option is to use a third party session management tool Awsume (https://awsu.me/).

Then you can do:
awsume <name of the profile requiring MFA/role switching> --output-profile <name of the temporary profile>
ecs-cli --aws-profile <name of the temporary profile>

Awsume will then write the temporary credentials to ~/.aws/credentials (or respective place) and ECS CLI will find them from there. Please see Awsume documentation for further information.