Support assuming an AWS role with MFA

[ProTip]

We are moving/have moved entirely toward requiring MFA to assume admin-like roles on our AWS accounts. This ensures access keys can't go missing that would allow programable access to widely destructive actions.

It would be great if kops could support authenticating to AWS with an OTP before assuming a role via STS. Currently we have a bash wrapper that provides this for use with terraform and kops; aws-cli supports this natively.

[chrislovecnm]

@ProTip always happy to have you guys help us implement this. Kind of an interesting idea.

[starkers]

I think this is very important for enterprise adoption of kops (FWIW).

Boto3 supports it as does terraform but I've just heard from a friend at another company who just hit this limitation (I hadn't got here yet) so suggest a bit of love goes into addressing this.

On phone at the moment but happy to provide some examples later

[chrislovecnm]

@starkers if you are able to assist with a PR, we would love to see this in. We are currently prioritizing work on security for 1.5 and 1.6 releases, and security is a big chunk of the work

[zmerlynn]

I spent a little while looking at this. I assume your bash wrapper is just calling aws sts assume-role and using the temp creds for that? That seems to work just fine (I don't have MFA enabled, but the command obviously supports it).

As guessed in #1723, this is a limitation of the Go AWS SDK: https://docs.aws.amazon.com/sdk-for-go/api/aws/session/:

The SDK does not support assuming a role with MFA token Via the Session's constructor. You can use the stscreds.AssumeRoleProvider credentials provider to specify custom configuration and support for MFA.

This would need a minor PR to accept a role ARN and MFA token, so we know to use the other interface.

Note that for the non-MFA AssumeRole case, kops already works as long as you specify AWS_SDK_LOAD_CONFIG=1.

[ahawkins]

I spent a little while looking at this. I assume your bash wrapper is just calling aws sts assume-role and using the temp creds for that? That seems to work just fine (I don't have MFA enabled, but the command obviously supports it).

This was our idea as well.

The problem is the SDK does not auto-prompt for MFA code on stdin, so you have to collect it yourself and pass it into the SDK objects.

[ahawkins]

@justinsb I can contribute a wrapper script for this we're using internally. Where should it go though?

[ahawkins]

I've got this. Set the KOPS_MFA_ROLE_ARN, and KOPS_MFA_ARN, then run: kops-mfa [kops command] and off you go. Anyone can customize this as they see fit.

#!/usr/bin/env bash

set -euo pipefail

main() {
	local role_arn="${KOPS_MFA_ROLE_ARN:-}"
	local serial_number="${KOPS_MFA_ARN:-}"
	local token_code

	if [ -z "${KOPS_MFA_ROLE_ARN}" ]; then
		echo "Set the KOP_MFA_ROLE_ARN environment variable" 1>&2;
		return 1
	fi

	if [ -z "${KOPS_MFA_ARN}" ]; then
		echo "Set the KOP_MFA_ARN environment variable" 1>&2;
		return 1
	fi

	echo -n "Enter MFA Code: "
	read -s token_code

	# NOTE: The keys should not be exported as AWS_ACCESS_KEY_ID
	# or AWS_SECRET_ACCESS_KEY_ID. This will not work. They
	# should be exported as other names which can be used below. This prevents
	# them from incorrectly being picked up from libraries or commands.
	temporary_credentials="$(aws \
		sts assume-role \
		--role-arn="${role_arn}" \
		--serial-number="${serial_number}" \
		--token-code="${token_code}" \
		--role-session-name="kops-access"
	)"

	unset AWS_PROFILE

	export "AWS_ACCESS_KEY_ID=$(echo "${temporary_credentials}" | jq -re '.Credentials.AccessKeyId')"
	export "AWS_SECRET_ACCESS_KEY=$(echo "${temporary_credentials}" | jq -re '.Credentials.SecretAccessKey')"
	export "AWS_SESSION_TOKEN=$(echo "${temporary_credentials}" | jq -re '.Credentials.SessionToken')"

	kops "$@"
}

main "$@"

@justinsb @chrislovecnm @kris-nova how would you like this work-around script added to the docs?

[chrislovecnm]

Please add to docs!

[blakebarnett]

@ahawkins is there a PR for this somewhere? If not please add one! :)

[micahhausler]

The AWS SDK now has a StdinTokenProvider that we could use:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
}))

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[ahawkins]

`/remove-lifecycle stale`

…

On Sat, Aug 1, 2020, at 00:31, fejta-bot wrote: Issues go stale after 90d of inactivity. Mark the issue as fresh with `/remove-lifecycle stale`. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with `/close`. Send feedback to sig-testing, kubernetes/test-infra and/or fejta <https://github.com/fejta>. /lifecycle stale — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#226 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAL6IDQHCELHPE7SUMNBCTR6PVJXANCNFSM4CK7QT5A>.

[rifelpet]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cassandracomar]

/reopen

this prevents assumed roles for kops execution generally without a wrapper script and it's definitely still an issue in 1.19.0-beta.3.

[k8s-ci-robot]

@cassandracomar: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

this prevents assumed roles for kops execution generally without a wrapper script and it's definitely still an issue in 1.19.0-beta.3.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rifelpet]

/remove-lifecycle rotten

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

[olemarkus]

I believe this should work now. There should also not be any need for export AWS_SDK_LOAD_CONFIG=1

[johngmyers]

The need for AWS_SDK_LOAD_CONFIG=1 was removed by #11387.

kOps doesn't configure anything to allow manual prompting for an MFA code.

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

[k8s-triage-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.