feat(cli): MFA support #6510
feat(cli): MFA support #6510
Conversation
nikolauska
changed the title
|
Merged to latest master after there were lot of changes to authentication. Changes required are now much smaller than earlier as I only needed to add the |
|
Seems like the build failed for |
@nikolauska yeah it's unrelated, I'll see if i can trigger a re-run of the build for you |
| } | ||
|
|
||
| if (await fs.pathExists(configFileName())) { | ||
| sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName() })); | ||
| sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName(), tokenCodeFn })); |
There was a problem hiding this comment.
Oh, this block slipped in accidentally during a refactor of mine.
Mind taking it out? <3
There was a problem hiding this comment.
Sure thing :)
That line looked weird to me, but as it did not seem to cause issue when I was testing it I decided to keep it.
| */ | ||
| async function tokenCodeFn(serial: string, cb: (err?: Error, token?: string) => void): Promise<void> { | ||
| debug('Require MFA token for serial', serial); |
There was a problem hiding this comment.
is this the device serial or the serial ARN?
nikolauska
force-pushed
the
add-mfa-support
branch
from
8f55243 to
2196d8f
Compare
|
Squashed all the commits and added more info to commit body. There is now also one test, but with limited knowledge of bigger code base it was the only one I got working. Also added section to README.md about the MFA support. |
|
@shivlaks Any updates about this? |
|
@nikolauska @vastamaki sorry about the delay, didn't realize this PR was updated. I'll take a look this week. stay tuned! |
nikolauska
force-pushed
the
add-mfa-support
branch
from
2196d8f to
8b63e5a
Compare
nikolauska
force-pushed
the
add-mfa-support
branch
from
8b63e5a to
c244dd2
Compare
| await provider.withAssumedRole('arn:aws:iam::account:role/role', undefined, undefined); | ||
| } catch (e) { | ||
| // Mock token cannot work, but having this error means user was asked for MFA token | ||
| expect(e.message).toEqual('The security token included in the request is invalid.'); |
There was a problem hiding this comment.
I sure hope this test doesn't do any actual calls to STS.
There was a problem hiding this comment.
I don't think it will as it will ask token before calling STS, but I'm not 100% sure about that. If there is better way to test it I will change to use that as I just used that other role test as base and just changed it by adding mfa_serial to it
There was a problem hiding this comment.
I've looked into the aws-sdk source code and according to the load function it will ask for token before continuing with assumeRole call. As my original test did return token it made STS call, but it failed on the next step as it was not a valid token. I've changed my test so that it now throws error so it won't call assumeRole.
Link to the code part in the aws-sdk I mentioned:
https://github.com/aws/aws-sdk-js/blob/75690eb8edb4f90dbcac1e8ad03847262f8cddf4/lib/credentials/shared_ini_file_credentials.js#L233
nikolauska
force-pushed
the
add-mfa-support
branch
from
c244dd2 to
ef171e1
Compare
nikolauska
force-pushed
the
add-mfa-support
branch
from
ef171e1 to
5ea8701
Compare
nikolauska
force-pushed
the
add-mfa-support
branch
from
5ea8701 to
ba2f9bc
Compare
|
Hi @nikolauska , would you have a chance to review and have it merged? Your contribution will help large orgs to adopt CDK, thanks for making it |
nikolauska
force-pushed
the
add-mfa-support
branch
from
ba2f9bc to
9623f07
Compare
nikolauska
force-pushed
the
add-mfa-support
branch
from
9623f07 to
d8755ce
Compare
nikolauska
force-pushed
the
add-mfa-support
branch
from
d8755ce to
494383e
Compare
There was a problem hiding this comment.
- pending verification that unit tests don't make actual calls to STS
@nikolauska I also believe we can remove the yarn.lock changes in this PR as we are no longer adding a new dependency for prompting users
nikolauska
force-pushed
the
add-mfa-support
branch
from
494383e to
80ee3e1
Compare
With this change AWS CDK supports MFA. Specifically it will support mfa_serial field in the profile config by asking user for MFA token for the mfa_serial field ARN. AWS SDK has support for this built in so only change is adding tokenCodeFn function to sharedIniCredentials options. Callback sent to that function is used to return token back to SDK. Inquirer package is used to create interactive prompt for user to type the MFA token.
nikolauska
force-pushed
the
add-mfa-support
branch
from
80ee3e1 to
ad978ea
Compare
|
@shivlaks I've now removed the |
|
This looks great! Hopefully this gets merged soon, thanks for the great work @nikolauska |
|
@shivlaks Any news on getting this merged? |
|
@shivlaks Now that |
good catch, my miss on dropping the label |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
ghost
mentioned this pull request
With these changes AWS CDK now supports
mfa_serialfield so when profile hasmfa_serialset the user is asked for MFA token. If user then adds corrects short lived token they will get access to environment.Example config for assume role with MFA that will be supported after these changes.
These changes currently only have one test as I don't have enough knowledge of the code base to write better tests. Current test only checks that user is asked for token by looking at the error message which should result in invalid token.
Fixes: #1248
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license