Add support for MFA when assuming a role #991
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Feedback from aws#990, this adds support for MFA when assuming a role. To enable this, in addition to role_arn and source_profile, you can specify an mfa_serial option in your config file:: [profile foo] role_arn = ... source_profile = development mfa_serial = ..... This is the the mfa arn/device id. If an mfa_serial is provided then a user will be prompted for the token code when the AssumeRole call happens. As mentioned in the original PR, for now when the temporary credentials expire, an exception will be raised if MFA is required. We can look into updating this in the future to support reprompting the user. This only affects the case where the credentials expire within the duration of the AWS CLI process. Aside from some of the ``aws s3 cp/sync`` commands, the AWS CLI is generally a short lived process so this won't affect the common usage scenarios.
|
Looks good as well. 🚢 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Feedback from #990, this adds support for MFA when assuming a role.
To enable this, in addition to role_arn and source_profile, you can
specify an mfa_serial option in your config file::
This is the the mfa arn/device id. If an mfa_serial is
provided then a user will be prompted for the token code when
the AssumeRole call happens.
As mentioned in the original PR, for now when the temporary
credentials expire, an exception will be raised if MFA is
required. We can look into updating this in the future to support
reprompting the user. This only affects the case where the
credentials expire within the duration of the AWS CLI process.
Aside from some of the
aws s3 cp/synccommands, the AWS CLIis generally a short lived process so this won't affect the
common usage scenarios.
cc @kyleknap @danielgtaylor
cc @garnaat @ehammond