dcoker / awsmfa Goto Github PK
View Code? Open in Web Editor NEWawsmfa eases AWS multi-factor authentication for developers.
License: Apache License 2.0
awsmfa's People
Contributors
Stargazers
Watchers
Forkers
dgcgh kyroskoh enderv coltaa rowleyaj zaro0508 medal-labs interrobangc flonn oup dewe alpha-health-ai mmrwoods tidalmigrations anttiviljami brightcoveawsmfa's Issues
Cannot rotate identity keys when assuming a role
Any call to iam.CurrentUser() (lazy loaded) will blow up when having assumed a role, throwing api error: An error occurred (ValidationError) when calling the ListAccessKeys operation: Must specify userName when calling with non-User credentials
This is a bit annoying when having the AWS_MFA_ROTATE_IDENTITY_KEYS environment variable set.
awsmfa arn:aws:iam:: 123456789012:role/myRole -d 3600 --rotate-identity-keys
MFA Token Code:
Temporary credentials will expire in 0:59:59.861841.
Traceback (most recent call last):
File "/usr/local/bin/awsmfa", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python2.7/site-packages/awsmfa/__main__.py", line 47, in main
err = rotate(args, credentials)
File "/usr/local/lib/python2.7/site-packages/awsmfa/__main__.py", line 193, in rotate
in iam.CurrentUser().access_keys.all()
File "/usr/local/lib/python2.7/site-packages/awsmfa/__main__.py", line 192, in <genexpr>
current_access_key = next((key for key
File "/usr/local/lib/python2.7/site-packages/boto3/resources/collection.py", line 83, in __iter__
for page in self.pages():
File "/usr/local/lib/python2.7/site-packages/boto3/resources/collection.py", line 166, in pages
for page in pages:
File "/usr/local/lib/python2.7/site-packages/botocore/paginate.py", line 255, in __iter__
response = self._make_request(current_kwargs)
File "/usr/local/lib/python2.7/site-packages/botocore/paginate.py", line 332, in _make_request
return self._method(**current_kwargs)
File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the ListAccessKeys operation: Must specify userName when calling with non-User credentialsPotential dependency conflicts between awsmfa and botocore
Hi, as shown in the following full dependency graph of awsmfa, awsmfa requires botocore >=1.4.0 , while the installed version of boto3(1.10.45) requires botocore >=1.13.45,<1.14.0.
According to Pip's “first found wins” installation strategy, botocore 1.13.45 is the actually installed version.
Although the first found package version botocore 1.13.45 just satisfies the later dependency constraint (botocore >=1.13.45,<1.14.0), it will lead to a build failure once developers release a newer version of botocore.
Dependency tree--------
awsmfa - 0.2.9
| +- boto3(install version:1.10.45 version range:>=1.3.0)
| | +- botocore(install version:1.13.45 version range:>=1.13.45,<1.14.0)
| | | +- docutils(install version:0.15.2 version range:>=0.10,<0.16)
| | | +- jmespath(install version:0.9.4 version range:<1.0.0,>=0.7.1)
| | +- jmespath(install version:0.9.4 version range:<1.0.0,>=0.7.1)
| | +- s3transfer(install version:0.2.1 version range:>=0.2.0,<0.3.0)
| | | +- botocore(install version:1.13.45 version range:<2.0.0,>=1.12.36)
| | | | +- docutils(install version:0.15.2 version range:>=0.10,<0.16)
| | | | +- jmespath(install version:0.9.4 version range:<1.0.0,>=0.7.1)
| +- botocore(install version:1.13.45 version range:>=1.4.0)
| | +- docutils(install version:0.15.2 version range:>=0.10,<0.16)
| | +- jmespath(install version:0.9.4 version range:<1.0.0,>=0.7.1)
| +- pytz(install version:2019.3 version range:>=2016.1)
| +- six(install version:1.13.0 version range:>=1.10.0)
Thanks for your attention.
Best,
Neolith
Alternative MFA devices / solutions are not supported, the script does not fail nicely in cases where such devices are configured as MFA on AWS side
AWS cloud supports multiple sorts of MFA devices, for example Yubikeys. The acquire code implementation of AWSMFA does not support any such devices
Line 170 in 4d3565c
If such devices are not planned to be supported, I think adding a validation for a supported MFA method here
Line 162 in 4d3565c
If such devices could be supported (for example yubikey could be supported with an optional dependency to python-yubico, or even with some custom code) that would be great (and I could maybe look into adding some support for my devices in a PR).
For non root user, iam:GetUser is no necessary, iam:ListMFADevices is enough
Lines 331 to 345 in bbd9ef8
https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListMFADevices.html
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request for this API.
Does not work on windows
Was trying this out and noticed it will not work on windows due to the os.rename.
File "C:\Python27\lib\site-packages\awsmfa__main__.py", line 378, in update_credentials_file
os.rename(temp_credentials_file, filename)
WindowsError: [Error 183] Cannot create a file when that file already exists
I can put in a PR if you'd like just let me know.
AWS_SHARED_CREDENTIALS_FILE environment variable isn't honored
The AWS_SHARED_CREDENTIALS_FILE environment variable is used by the aws cli to override the default location of the credentials file. This is useful when working with multiple organizations (and why I noticed it). If you set that variable, awscli still modifies ~/.aws/credentials. awsmfa should probably honor all of the same environment variables that the AWS cli does, where relevant (not sure if awsmfa ever reads or writes to the AWS_CONFIG_FILE).
For reference: http://docs.aws.amazon.com/cli/latest/userguide/cli-environment.html
Why not read "role-to-assume" from ~/.aws/credentials?
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
... or the ~/.aws/config file
TypeError: 'int' object is not iterable
Python 3.x
⇒ awsmfa
The config profile (identity) could not be found
Available profiles: default, josh
Traceback (most recent call last):
File "/Users/devalias/.pyenv/versions/3.5.2/bin/awsmfa", line 9, in <module>
load_entry_point('awsmfa==0.2.7', 'console_scripts', 'awsmfa')()
File "/Users/devalias/.pyenv/versions/3.5.2/lib/python3.5/site-packages/awsmfa/__main__.py", line 42, in main
status = one_mfa(args, credentials)
File "/Users/devalias/.pyenv/versions/3.5.2/lib/python3.5/site-packages/awsmfa/__main__.py", line 73, in one_mfa
session, session3 = make_session(args.identity_profile)
TypeError: 'int' object is not iterable
Python 2.x
⇒ awsmfa
The config profile (identity) could not be found
Available profiles: default, josh
Traceback (most recent call last):
File "/Users/devalias/.pyenv/versions/2.7.12/bin/awsmfa", line 9, in <module>
load_entry_point('awsmfa==0.2.7', 'console_scripts', 'awsmfa')()
File "/Users/devalias/.pyenv/versions/2.7.12/lib/python2.7/site-packages/awsmfa/__main__.py", line 42, in main
status = one_mfa(args, credentials)
File "/Users/devalias/.pyenv/versions/2.7.12/lib/python2.7/site-packages/awsmfa/__main__.py", line 73, in one_mfa
session, session3 = make_session(args.identity_profile)
TypeError: 'int' object is not iterable
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.