Skip to content
This repository was archived by the owner on Jul 31, 2025. It is now read-only.

aws/session: Add support for AssumeRoles with MFA #1088

Merged
merged 10 commits into from
Feb 22, 2017
Merged

aws/session: Add support for AssumeRoles with MFA #1088

merged 10 commits into from
Feb 22, 2017

Conversation

jasdel
Copy link
Contributor

@jasdel jasdel commented Feb 18, 2017
edited
Loading

Adds support for assuming IAM roles with MFA enabled. A TokenProvider
func was added tostscreds.AssumeRoleProvider that will be called each
time the role's credentials need to be refreshed. A basic token provider
that sources the MFA token from stdin as stscreds.StdinTokenProvider.

This change also adds a new session option, AssumeRoleTokenProvider.
The value of this field will be passed to the stscreds.AssumeRoleProvider
if the shared configuration is enabled and the config (~/.aws/config) or
credentials files (~/.aws/credentials) specify a role to assume
with MFA.

In order for the SDK to assume a role with MFA the SharedConfigState
session option must be set to SharedConfigEnable, or AWS_SDK_LOAD_CONFIG
environment variable set.

Creating an AssumeRoleProvider with MFA:

// Initial credentials loaded from SDK's default credential chain. Such as
// the environment, shared credentials (~/.aws/credentials), or EC2 Instance
// Role. These credentials will be used to to make the STS Assume Role API.
sess := session.Must(session.NewSession())

// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN. Prompting for MFA token from stdin.
creds := stscreds.NewCredentials(sess, "myRoleARN", func(p *stscreds.AssumeRoleProvider) {
    p.SerialNumber = aws.String("myTokenSerialNumberOrARN")
    p.TokenProvider = stscreds.StdinTokenProvider
})

// Create service client value configured for credentials
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})

Creating a Session with shared config enabled to assume a role with MFA:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
    SharedConfigState:       session.SharedConfigEnable,
}))

// Create service client value configured for credentials
// from assumed role.
svc := s3.New(sess)

Fix #842
Related To hashicorp/terraform#9349

@jasdel jasdel requested a review from xibz February 18, 2017 01:16
This was referenced Feb 18, 2017
Closed
Closed
xibz
xibz suggested changes Feb 18, 2017
View reviewed changes
aws/session/session.go
@@ -73,7 +73,7 @@ func New(cfgs ...*aws.Config) *Session {
return s
}

return oldNewSession(cfgs...)
return deprecatedNewSession(cfgs...)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, way better name

aws/session/session.go Outdated
//
// This field is only used if the shared config enables assume role with
// MFA support.
AssumeRoleTokenProvider func() (string, error)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason why this isn't an interface but a function pointer?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The switch here was focused on simplicity. Since an isolated piece of logic was being provided an function pointer was simpler and provided the same functionality.

@jasdel jasdel force-pushed the feature/AddMFASupport branch from 2000a7d to e136293 Compare February 20, 2017 18:51
@jasdel
Copy link
Contributor Author

jasdel commented Feb 20, 2017

Added more detailed docs and verified with the stdin token provider is able to assume roles that require MFA.

@jasdel jasdel force-pushed the feature/AddMFASupport branch from a3d89fd to 5409a97 Compare February 20, 2017 21:20
@jasdel
aws/credentials,aws/session: Add support for AssumeRoles with MFA
6b0696b 
Adds support for assuming IAM roles with MFA enabled. A TokenProvider
func was added to stscreds.AssumeRoleProvider that will be called each
time the role's credentials need to be refreshed. A basic
token provider that sources the MFA token from stdin as
stscreds.StdinTokenProvider.

In addition when creating a session a new session option was added,
AssumeRoleTokenProvider. The value of this field will be passed to the
stscreds.AssumeRoleProvider if the shared config enables assume role
with MFA, and the SDK will be assuming the role. This allows you to
configure the SDK via the shared config to assume a role with MFA
tokens.

Note to use the SDK with the shared config and assume role the
SharedConfigState session option must be SharedConfigEnable, or the
AWS_SDK_LOAD_CONFIG environment variable set.

Assume role with MFA is enabled via the shared config when the
serial_number field is set.

Creating an AssumeRoleProvider with MFA

    // Initial credentials loaded from SDK's default credential chain. Such as
    // the environment, shared credentials (~/.aws/credentials), or EC2 Instance
    // Role. These credentials will be used to to make the STS Assume Role API.
    sess := session.Must(session.NewSession())

    // Create the credentials from AssumeRoleProvider to assume the role
    // referenced by the "myRoleARN" ARN. Prompting for MFA token from stdin.
    creds := stscreds.NewCredentials(sess, "myRoleArn", func(p *stscreds.AssumeRoleProvider) {
	p.SerialNumber = aws.String("myTokenSerialNumber")
	p.TokenProvider = stscreds.StdinTokenProvider
    })

    // Create service client value configured for credentials
    // from assumed role.
    svc := s3.New(sess, &aws.Config{Credentials: creds})

Creating a Session with shared config enabled to assume a role with MFA

    sess := session.Must(session.NewSessionWithOptions(session.Options{
	AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
	SharedConfigState:       session.SharedConfigEnable,
    }))

    // Create service client value configured for credentials
    // from assumed role.
    svc := s3.New(sess)

Fix # 842
@jasdel
Add error handling if neither TokenCode nor TokenProvider are set
ad55835
@jasdel
correct error message format
c428f04
@jasdel
add docs and examples
390ddb3
@jasdel
fixup misspellings
ce87d7a
@jasdel
add session docs
bc9d7a6
@jasdel
Update assume_role_provider.go
cffa878
@jasdel
update sessions doc.go
e5df71c
@jasdel
Update session.go
8f52800
@jasdel jasdel force-pushed the feature/AddMFASupport branch from 58cb169 to 8f52800 Compare February 22, 2017 21:56
@jasdel jasdel merged commit 9350193 into aws:master Feb 22, 2017
@jasdel jasdel deleted the feature/AddMFASupport branch February 22, 2017 22:41
@jasdel jasdel mentioned this pull request Feb 23, 2017
Merged
@awstools awstools mentioned this pull request Feb 23, 2017
Merged
@fxaguessy fxaguessy mentioned this pull request Jun 9, 2017
Closed
@tamsky tamsky mentioned this pull request Nov 29, 2017
Open
skotambkar pushed a commit to skotambkar/aws-sdk-go that referenced this pull request May 20, 2021
@skmcgrail
Update Change Metadata for Pending Release (aws#1088)
7a1cad3
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
1 more reviewer

@xibz xibz xibz approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jasdel @xibz