feat(cli): MFA support (#6510)

nikolauska · web-flow · commit 611c48d13431 · 2020-08-17T14:42:55.000Z
With these changes AWS CDK now supports `mfa_serial` field so when profile has `mfa_serial` set the user is asked for MFA token. If user then adds corrects short lived token they will get access to environment. Example config for assume role with MFA that will be supported after these changes. ``` [profile mfa] region=eu-west-1 [profile mfa-role] source_profile=mfa role_arn=arn:aws:iam::account:role/role mfa_serial=arn:aws:iam::account:mfa/user ``` These changes currently only have one test as I don't have enough knowledge of the code base to write better tests. Current test only checks that user is asked for token by looking at the error message which should result in invalid token. Fixes: #1248 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk/README.md b/packages/aws-cdk/README.md
@@ -266,6 +266,19 @@ $ cdk doctor
   - AWS_SDK_LOAD_CONFIG = 1
 ```
 
+### MFA support
+
+If `mfa_serial` is found in the active profile of the shared ini file AWS CDK
+will ask for token defined in the `mfa_serial`. This token will be provided to STS assume role call.
+
+Example profile in `~/.aws/config` where `mfa_serial` is used to assume role:
+```ini
+[profile my_assume_role_profile]
+source_profile=my_source_role
+role_arn=arn:aws:iam::123456789123:role/role_to_be_assumed
+mfa_serial=arn:aws:iam::123456789123:mfa/my_user
+```
+
 ### Configuration
 On top of passing configuration through command-line arguments, it is possible to use JSON configuration files. The
 configuration's order of precedence is:
diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -4,6 +4,7 @@ import * as path from 'path';
 import * as util from 'util';
 import * as AWS from 'aws-sdk';
 import * as fs from 'fs-extra';
+import * as promptly from 'promptly';
 import { debug } from '../../logging';
 import { SharedIniFile } from './sdk_ini_file';
 
@@ -45,11 +46,11 @@ export class AwsCliCompatible {
     ];
 
     if (await fs.pathExists(credentialsFileName())) {
-      sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName(), httpOptions }));
+      sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName(), httpOptions, tokenCodeFn }));
     }
 
     if (await fs.pathExists(configFileName())) {
-      sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName(), httpOptions }));
+      sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName(), httpOptions, tokenCodeFn }));
     }
 
     if (containerCreds ?? hasEcsCredentials()) {
@@ -200,4 +201,24 @@ function readIfPossible(filename: string): string | undefined {
     debug(e);
     return undefined;
   }
-}
+}
+
+/**
+ * Ask user for MFA token for given serial
+ *
+ * Result is send to callback function for SDK to authorize the request
+ */
+async function tokenCodeFn(serialArn: string, cb: (err?: Error, token?: string) => void): Promise<void> {
+  debug('Require MFA token for serial ARN', serialArn);
+  try {
+    const token: string = await promptly.prompt(`MFA token for ${serialArn}: `, {
+      trim: true,
+      default: '',
+    });
+    debug('Successfully got MFA token from user');
+    cb(undefined, token);
+  } catch (err) {
+    debug('Failed to get MFA token', err);
+    cb(err);
+  }
+}
diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts
@@ -8,6 +8,11 @@ import { ISDK, Mode, SdkProvider } from '../../lib/api/aws-auth';
 import * as logging from '../../lib/logging';
 import * as bockfs from '../bockfs';
 
+// Mock promptly prompt to test MFA support
+jest.mock('promptly', () => ({
+  prompt: jest.fn().mockRejectedValue(new Error('test')),
+}));
+
 SDKMock.setSDKInstance(AWS);
 
 type AwsCallback<T> = (err: Error | null, val: T) => void;
@@ -40,6 +45,10 @@ beforeEach(() => {
       [assumer]
       aws_access_key_id=${uid}assumer
       aws_secret_access_key=secret
+
+      [mfa]
+      aws_access_key_id=${uid}mfaccess
+      aws_secret_access_key=secret
     `),
     '/home/me/.bxt/config': dedent(`
       [default]
@@ -59,6 +68,14 @@ beforeEach(() => {
 
       [profile assumer]
       region=us-east-2
+
+      [profile mfa]
+      region=eu-west-1
+
+      [profile mfa-role]
+      source_profile=mfa
+      role_arn=arn:aws:iam::account:role/role
+      mfa_serial=arn:aws:iam::account:mfa/user
     `),
   });
 
@@ -150,6 +167,19 @@ describe('CLI compatible credentials loading', () => {
     expect(sdkConfig(sdk).credentials!.accessKeyId).toEqual(`${uid}booccess`);
   });
 
+  test('mfa_serial in profile will ask user for token', async () => {
+    // WHEN
+    const provider = await SdkProvider.withAwsCliCompatibleDefaults({ ...defaultCredOptions, profile: 'mfa-role' });
+
+    // THEN
+    try {
+      await provider.withAssumedRole('arn:aws:iam::account:role/role', undefined, undefined);
+    } catch (e) {
+      // Mock response was set to fail with message test to make sure we don't call STS
+      expect(e.message).toEqual('Error fetching MFA token: test');
+    }
+  });
+
   test('different account throws', async () => {
     const provider = await SdkProvider.withAwsCliCompatibleDefaults({ ...defaultCredOptions, profile: 'boo' });
 
