Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

MFA serial in credentials is being ignored

See original GitHub issue

When I define mfa_serial in the source_profile or in the credentials file, AWS Toolkit would not ask me for a MFA token which causes an “access denied” error.

Here is a config that works because I defined mfa_serial directly in the profile: ~/.aws/config:

[default]
region = eu-central-1

[profile foo]
role_arn = arn:aws:iam::***:role/AdminRole
mfa_serial = arn:aws:iam::***:mfa/foo
source_profile = default

~/.aws/credentials:

[default]
aws_access_key_id = asdf
aws_secret_access_key = asdf

Here is a config that does not work because I defined mfa_serial in the source_profile: ~/.aws/config:

[default]
region = eu-central-1
mfa_serial = arn:aws:iam::***:mfa/foo

[profile foo]
role_arn = arn:aws:iam::***:role/AdminRole
source_profile = default

~/.aws/credentials:

[default]
aws_access_key_id = asdf
aws_secret_access_key = asdf

Here is a config that does not work because I defined mfa_serial in the credentials file: ~/.aws/config:

[default]
region = eu-central-1

[profile foo]
role_arn = arn:aws:iam::***:role/AdminRole
source_profile = default

~/.aws/credentials:

[default]
aws_access_key_id = asdf
aws_secret_access_key = asdf
role_arn = arn:aws:iam::***:role/AdminRole

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:11 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
justinmk3commented, Jun 1, 2021

We have not yet merged the fix, so would like to keep this open.

1reaction
JadenSimoncommented, Jun 2, 2021

@odbaeu We currently have a PR #1766 that should resolve this issue. MFA serials are now lifted out of source profiles into the child profile for role assumption. I tested one of your non-working configurations and it works correctly for me.

To confirm the fix works for all your potential use cases, it would be helpful you can try out the pre-release build:

  1. Download and extract buildArtifacts.zip
  2. From the VSCode command list (ctrl-shift-p or cmd-shift-p) run Extensions: Install from VSIX… to install the *.vsix file.
  3. Reload VSCode and verify that the Toolkit has version 1.26 (not the release version 1.25).
Read more comments on GitHub >

github_iconTop Results From Across the Web

Assume role asks for MFA even with valid credentials #5880
I'm trying to setup temporary credentials for my local machine using the assume role approach on AWS CLI. For this, I have two...
Read more >
Resynchronizing virtual and hardware MFA devices
In the navigation pane, choose Users, and then choose the name of the user whose MFA device needs to be resynchronized. Choose the...
Read more >
Boto3 AWS MFA authentication fails when run on Mac Native ...
This explains the unexpected extra request for MFA - the user values from my script were simply being ignored and the session credentials...
Read more >
Enabling a hardware TOTP token (console) - 亚马逊云科技
On the Amazon IAM credentials tab, in the Multi-factor authentication (MFA) section, choose Assign MFA device. In the wizard, type a Device name,...
Read more >
Multi-factor Authentication (MFA) for AWS CLI - Redpill Linpro
The following credentials are meant to belong to the same physical user. Account ACME. IAM user: bob; AWS AccountID: 12345NAN1234; Access key: ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Authentication still fails when using a credential_process and source_profile

Next page

M1 Mac (Apple Silicon): Debugging SAM .NET Function not working