Support mfa without assume role.

[glennpratt]

Given the following profile:

[profile test]
region = us-east-1
mfa_serial = arn:aws:iam::012345678901:mfa/glennpratt

aws-cli never asks for an MFA token and I don't receive IAM permissions granted to MFA users. Here's the policy:

{  
    "Version":"2012-10-17",
    "Statement":[  
        {  
            "Condition":{  
                "NumericLessThan":{  
                    "aws:MultiFactorAuthAge":"43200"
                }
            },
            "Action":"*",
            "Resource":"*",
            "Effect":"Allow"
        }
    ]
}

And the error:

aws iam create-access-key --profile test --user glenn.pratt

A client error (AccessDenied) occurred when calling the CreateAccessKey operation: User: arn:aws:iam::012345678901:user/glennpratt is not authorized to perform: iam:CreateAccessKey on resource: user glennpratt

If I add a role_arn, then aws-cli asks for an MFA token and assumes role, but we want to grant user permissions without assuming a role.

[jamesls]

Marking as a feature request. The CLI currently does not support this, but it would be nice to have.

[ksperling]

Those waiting for this feature might want to have a look at https://github.com/lonelyplanet/aws-mfa (unfortunately it seems unmaintained).

One feature I would particularly like in this context is to be able to spawn a sub-shell via a command like aws shell such that the temporary credentials are only cached in the environment of that shell process rather than written to disk. This feature would also be beneficial in the context of assume role.

[ksperling]

I've implemented a shell script called aws-session that prompts for MFA credentials and makes them available in an interactive shell (think sudo -s for AWS).

At the moment it only supports STS GetSessionToken, but I may add AssumeRole support as well. One difference compared to the native AssumeRole support in the CLI is that the temporary credentials (intentionally) do not get persisted, so they can easily be discarded just by closing the shell.

[pwaller]

I've also written something called aws-creds which caches credentials (or can be used to invoke a shell with the credentials in it) and also supports AssumeRole. I think there are a few of these out there, I already know two other organisations which have their own scripts for doing this. It would be great to see this implemented in the official tooling.

[ASayre]

Good Morning!

We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI.

This will let us get the most important features to you, by making it easier to search for and show support for the features you care the most about, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea is posted, people can vote on the ideas, and the product team will be responding directly to the most popular suggestions.

We’ve imported existing feature requests from GitHub - Search for this issue there!

And don't worry, this issue will still exist on GitHub for posterity's sake. As it’s a text-only import of the original post into UserVoice, we’ll still be keeping in mind the comments and discussion that already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs.

Once again, this issue can now be found by searching for the title on: https://aws.uservoice.com/forums/598381-aws-command-line-interface

-The AWS SDKs & Tools Team

This entry can specifically be found on UserVoice at: https://aws.uservoice.com/forums/598381-aws-command-line-interface/suggestions/33168322-support-mfa-without-assume-role

[salmanwaheed]

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred: mkdirenv@gmail.com Domain salmanwaheed.info has exceeded the max emails per hour (186/150 (124%)) allowed. Message will be reattempted later

…

------- This is a copy of the message, including all the headers. ------ Received: from o8.sgmail.github.com ([167.89.101.199]:57580) by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89_1) (envelope-from <bounces+848413-a7b0-hello=salmanwaheed.info@sgmail.github.com>) id 1ej0RO-001c37-GQ for hello@salmanwaheed.info; Tue, 06 Feb 2018 03:25:31 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=Fr89r4On8a1r6VY5SkJJNwy4Nx8=; b=toumNFHfeuc5+40X sUQLSduCNXTGyvYwL6pVxwTn5ZiEweoerDvNTBBec6XbIR2eutBHKSq+qFqrAcap 2fQ30GzuVgK5cgSjJYeTLXb2SvvdgVxYxqFI/gGRc5Usv4jFk4MQiQsIgZJbxuw5 D5sAFggmG2AzkhUlLX0SyxJptf8= Received: by filter0035p1las1.sendgrid.net with SMTP id filter0035p1las1-16682-5A79828F-1A 2018-02-06 10:25:19.672583041 +0000 UTC Received: from github-smtp2a-ext-cp1-prd.iad.github.net (github-smtp2a-ext-cp1-prd.iad.github.net [192.30.253.16]) by ismtpd0014p1iad2.sendgrid.net (SG) with ESMTP id ewEZaVmDRJ-aYMm9WnWRPA for <hello@salmanwaheed.info>; Tue, 06 Feb 2018 10:25:19.573 +0000 (UTC) Date: Tue, 06 Feb 2018 10:25:19 +0000 (UTC) From: Andre Sayre <notifications@github.com> Reply-To: aws/aws-cli <reply@reply.github.com> To: aws/aws-cli <aws-cli@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Message-ID: <aws/aws-cli/issue/1985/issue_event/1459793603@github.com> In-Reply-To: <aws/aws-cli/issues/1985@github.com> References: <aws/aws-cli/issues/1985@github.com> Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: ASayre X-GitHub-Recipient: salmanwaheed X-GitHub-Reason: subscribed List-ID: aws/aws-cli <aws-cli.aws.github.com> List-Archive: https://github.com/aws/aws-cli List-Post: <mailto:reply@reply.github.com> List-Unsubscribe: <mailto:unsub+00ef1b38942a318fc72318f5914b2406e7a5c04402e65e0092cf000000011691448f92a169ce094c45b3@reply.github.com>, <https://github.com/notifications/unsubscribe/AO8bODX4v_faMmuIp_OVmAUccpS9fzY5ks5tSCiPgaJpZM4IjU3M> X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: hello@salmanwaheed.info X-SG-EID: 92ws1MVnlto3blxqXlf5goB0ee0kdDGWR6vcWx8d64/8pOhCcaPkq+rGtzL9C9I6BNj9+S4t9ZKdXQ SvQf8sFgO9hRFhatpRlEX55HtHVJk/e5l+F0h1xp42Bu9hOU2lvGQ6mZ1ZnyDI7E/qE6i98fMF50dF HrWm5yGoYIgAbgX8ZL2zqrgHEcP6iZN8v4sb0hr3Nr1Nebm47kD09amqJ8VtA92CLkStJGqDm8nGWA I= X-Spam-Status: No, score=-0.4 X-Spam-Score: -3 X-Spam-Bar: / X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Closed aws/aws-cli#1985. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #1985 (comment) Closed aws/aws-cli#1985. [...] Content analysis details: (-0.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: github.com] -0.5 SPF_PASS SPF: sender matches SPF record -1.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [167.89.101.199 listed in wl.mailspike.net] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 HTML_MESSAGE BODY: HTML included in message 0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.5 DCC_CHECK No description available. -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.8 RCVD_IN_MSPIKE_WL Mailspike good senders -1.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Spam-Flag: NO

----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Closed aws/aws-cli#1985.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #1985 (comment) ----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <p>Closed <a href="#1985" class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="155993523" data-permission-text="Issue title is private" data-url="#1985">#1985</a>.</p> <p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="#1985 (comment)">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AO8bOAbyUdUoUCJ0y5JyI3YNzi3YTzPVks5tSCiPgaJpZM4IjU3M">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AO8bOOC6WQJgwWPgUQY_flcImzNILKyOks5tSCiPgaJpZM4IjU3M.gif" width="1" /></p> <div itemscope itemtype="http://schema.org/EmailMessage"> <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction"> <link itemprop="url" href="#1985 (comment)"></link> <meta itemprop="name" content="View Issue"></meta> </div> <meta itemprop="description" content="View this Issue on GitHub"></meta> </div> <script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/aws/aws-cli","title":"aws/aws-cli","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/aws/aws-cli"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Closed aws/aws-cli#1985."}],"action":{"name":"View Issue","url":"#1985 (comment)"}}}</script> ----==_mimepart_5a79828f6a3bb_49492ac7ff27eed4410170--

[salmanwaheed]

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred: mkdirenv@gmail.com Domain salmanwaheed.info has exceeded the max emails per hour (187/150 (124%)) allowed. Message will be reattempted later

…

------- This is a copy of the message, including all the headers. ------ ------ The body of the message is 6170 characters long; only the first ------ 5000 or so are included here. Received: from github-smtp2-ext6.iad.github.net ([192.30.252.197]:60912 helo=github-smtp2b-ext-cp1-prd.iad.github.net) by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from <noreply@github.com>) id 1ej0RR-001c3U-9t for hello@salmanwaheed.info; Tue, 06 Feb 2018 03:25:33 -0700 Date: Tue, 06 Feb 2018 02:25:21 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1517912721; bh=F4Z/NdKuUHKikHp3+zaJPlQHGZiJ4WDvS4uXRxMSE9g=; h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Q2NdxaajIIOP9c88o9Ln3Jwp0WrRFsVU2Ektsz4uHoHqNdxq+i5gMV2uKibxOX19L mg86yb1gQk+DFaEaMDc3ipr8m3XEz/p0Vy3m9UxxscvfgQmMNPGrLzm7ZWvdoJfF3n Uk8iy1e8O+Pn21zBMPiVfUSSDGY2w9SlQJdQMJiA= From: Andre Sayre <notifications@github.com> Reply-To: aws/aws-cli <reply@reply.github.com> To: aws/aws-cli <aws-cli@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Message-ID: <aws/aws-cli/issues/1985/363378537@github.com> In-Reply-To: <aws/aws-cli/issues/1985@github.com> References: <aws/aws-cli/issues/1985@github.com> Subject: Re: [aws/aws-cli] Support mfa without assume role. (#1985) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: ASayre X-GitHub-Recipient: salmanwaheed X-GitHub-Reason: subscribed List-ID: aws/aws-cli <aws-cli.aws.github.com> List-Archive: https://github.com/aws/aws-cli List-Post: <mailto:reply@reply.github.com> List-Unsubscribe: <mailto:unsub+00ef1b3806a67678faf26f0a785048b727ee591e85d9594592cf000000011691449192a169ce094c45b3@reply.github.com>, <https://github.com/notifications/unsubscribe/AO8bOKRhA1vUJ4SDb1X6vZjhZ_VZMP7gks5tSCiRgaJpZM4IjU3M> X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: hello@salmanwaheed.info X-Spam-Status: No, score=-1.1 X-Spam-Score: -10 X-Spam-Bar: - X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Good Morning! We're closing this issue here on GitHub, as part of our migration to [UserVoice](https://aws.uservoice.com/forums/598381-aws-command-line-interface) for feature requests involving the AWS CLI. [...] Content analysis details: (-1.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: uservoice.com] -0.5 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.5 AWL AWL: Adjusted score from AWL reputation of From: address X-Spam-Flag: NO

----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Good Morning! We're closing this issue here on GitHub, as part of our migration to [Use= rVoice](https://aws.uservoice.com/forums/598381-aws-command-line-interfac= e) for feature requests involving the AWS CLI. This will let us get the most important features to you, by making it eas= ier to search for and show support for the features you care the most abo= ut, without diluting the conversation with bug reports. As a quick UserVoice primer (if not already familiar): after an idea is p= osted, people can vote on the ideas, and the product team will be respond= ing directly to the most popular suggestions. We=E2=80=99ve imported existing feature requests from GitHub - Search for= this issue there! And don't worry, this issue will still exist on GitHub for posterity's sa= ke. As it=E2=80=99s a text-only import of the original post into UserVoi= ce, we=E2=80=99ll still be keeping in mind the comments and discussion th= at already exist here on the GitHub issue. GitHub will remain the channel for reporting bugs. = Once again, this issue can now be found by searching for the title on: ht= tps://aws.uservoice.com/forums/598381-aws-command-line-interface =

-The AWS SDKs & Tools Team

-- = You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #1985 (comment)=

----==_mimepart_5a798291ac224_458b3ff55d8f4f3450895c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <p>Good Morning!</p> <p>We're closing this issue here on GitHub, as part of our migration to <= a href=3D"https://aws.uservoice.com/forums/598381-aws-command-line-interf= ace" rel=3D"nofollow">UserVoice</a> for feature requests involving the AW= S CLI.</p> <p>This will let us get the most important features to you, by making it = easier to search for and show support for the features you care the most = about, without diluting the conversation with bug reports.</p> <p>As a quick UserVoice primer (if not already familiar): after an idea i= s posted, people can vote on the ideas, and the product team will be resp= onding directly to the most popular suggestions.</p> <p>We=E2=80=99ve imported existing feature requests from GitHub - Search = for this issue there!</p> <p>And don't worry, this issue will still exist on GitHub for posterity's= sake. As it=E2=80=99s a text-only import of the original post into User= Voice, we=E2=80=99ll still be keeping in mind the comments and discussion= that already exist here on the GitHub issue.</p> <p>GitHub will remain the channel for reporting bugs.</p> <p>Once again, this issue can now be found by searching for the title on:= <a href=3D"https://aws.uservoice.com/forums/598381-aws-command-line-inte= rface" rel=3D"nofollow">https://aws.uservoice.com/forums/598381-aws-comma= nd-line-interface</a></p> <p>-The AWS SDKs &amp; Tools Team</p> <p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">&m= dash;<br />You are receiving this because you are subscribed to this thre= ad.<br />Reply to this email directly, <a href=3D"https://github.com/aws/= aws-cli/issues/1985#issuecomment-363378537">view it on GitHub</a>, or <a = href=3D"https://github.com/notifications/unsubscribe-auth/AO8bOMlWpV1dKXK= SizUST3b5uTzkSIgnks5tSCiRgaJpZM4IjU3M">mute the thread</a>.<img alt=3D"" = height=3D"1" src=3D"https://github.com/notifications/beacon/AO8bODBqt6N1r= l-cepPSV9FjSX2zJ3LZks5tSCiRgaJpZM4IjU3M.gif" width=3D"1" /></p> <div itemscope itemtype=3D"http://schema.org/EmailMessage"> <div itemprop=3D"action" itemscope itemtype=3D"http://schema.org/ViewActi= on"> <link itemprop=3D"url" href=3D"#19= 85#issuecomment-363378537"></link> <meta itemprop=3D"name" content=3D"View Issue"></meta> </div> <meta itemprop=3D"description" content=3D"View this Issue on GitHub"></me= ta> </div> <script type=3D"application/json" data-scope=3D"inboxmarkup">{"api_versio= n":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name"= :"GitHub"},"entity":{"external_key":"github/aws/aws-cli","title":"aws/aws= -cli","subtitle":"GitHub repository","main_image_url":"https://cloud.gith= ubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c= 7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/= 143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name= ":"Open in GitHub","url":"https://github.com/aws/aws-cli"}},"updates":{"s= nippets":[{"icon":"PERSON","message":"@ASayre in aws/aws-cli#1985: Good Morning!\r\n= \r\nWe're closing this issue here on GitHub, as part of our migration to = [UserVoice](https://aws.uservoice.com/forums/598381-aws-command-line-inte= rface) for feature requests involving the AWS CLI.\r\n\r\nThis will let u= s get the most important features t

[jamesls]

Based on community feedback, we have decided to return feature requests to GitHub issues.

[ahl]

Seems like a dupe of #9019 and #3174

[tb3088]

With AWS Professional Services incessantly pushing MFA and heavy use of account separation and assume-role and friends, the least the tools team could do is keep up, eh?