MFA required every time when using source_profile

[iconara]

• I am using the latest release of AWS Vault
• I have provided my .aws/config (redacted if necessary)
• I have provided the debug output using aws-vault --debug (redacted if necessary)

After having used aws-vault for years I discovered that I can use source_profile to not have to add each of my profiles individually – and since I often use a lot of different roles that all are assumed by the same credentials this simplifies things a lot.

However, I noticed it doesn't work to have a profile with mfa_serial with a source_profile that does not have mfa_serial. Or to be specific: it works, but I have to type the MFA code every time, the session doesn't seem to be saved.

I don't know if this is working as intended, or even not solvable. There exist a workaround (add profiles that require MFA separately). I can see how it could be a problem if a profile and its source had different MFAs configured, or if there are multiple profiles with different MFAs configured using the same source profile – in other words, I can see how it could be that this has no good solution, but I also know too little about how it works to know for sure.

This is how I have things set up (redacted and simplified). In this setup all I have done is aws-vault add theo. The readonly and dev profiles don't require MFA, but I need MFA to use the sysadmin role.

[profile theo]

[profile readonly]
source_profile=theo
role_arn=arn:aws:iam::1234567890:role/readonly

[profile dev]
source_profile=theo
role_arn=arn:aws:iam::1234567890:role/developer

[profile sysadmin]
source_profile=theo
role_arn=arn:aws:iam::1234567890:role/sysadmin
mfa_serial=arn:aws:iam::1234567890:mfa/theo

Here is a session where I first use the readonly profile to list S3, then the sysadmin role, which requires me to enter an MFA code, which is expected, but then I again run the same command with the sysadmin role and again have to enter an MFA code.

If remove source_profile from the sysadmin profile and add credentials using aws-vault add sysadmin I would not have to enter an MFA code the second time.

$ aws-vault exec readonly -- aws s3 ls
2020/02/21 15:29:05 aws-vault v5.3.1
2020/02/21 15:29:05 [keyring] Considering backends: [keychain pass file]
2020/02/21 15:29:05 Loading config file /Users/theo/.aws/config
2020/02/21 15:29:05 Parsing config file /Users/theo/.aws/config
2020/02/21 15:29:05 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:29:05 [keyring] Found 16 results
2020/02/21 15:29:05 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:29:05 [keyring] Found 16 results
2020/02/21 15:29:05 profile theo: using stored credentials
2020/02/21 15:29:05 profile theo: skipping GetSessionToken because profile 'readonly' has no MFA serial defined
2020/02/21 15:29:05 profile readonly: using AssumeRole
2020/02/21 15:29:05 Looking up keyring for 'theo'
2020/02/21 15:29:05 [keyring] Querying keychain for service="aws-vault", account="iconara-theo", keychain="aws-vault.keychain"
2020/02/21 15:29:05 [keyring] Found item "aws-vault (theo)"
2020/02/21 15:29:06 Generated credentials ****************EZCT using AssumeRole, expires in 59m59.615731s
2020/02/21 15:29:06 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2020/02/21 15:29:06 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2020/02/21 15:29:06 Setting subprocess env: AWS_SESSION_EXPIRATION
(redacted output)

$ aws-vault exec sysadmin --debug -- aws s3 ls
2020/02/21 15:30:40 aws-vault v5.3.1
2020/02/21 15:30:40 [keyring] Considering backends: [keychain pass file]
2020/02/21 15:30:40 Loading config file /Users/theo/.aws/config
2020/02/21 15:30:40 Parsing config file /Users/theo/.aws/config
2020/02/21 15:30:41 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:30:41 [keyring] Found 16 results
2020/02/21 15:30:41 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:30:41 [keyring] Found 16 results
2020/02/21 15:30:41 profile theo: using stored credentials
2020/02/21 15:30:41 profile theo: skipping GetSessionToken because MFA serial doesn't match profile 'sysadmin'
2020/02/21 15:30:41 profile sysadmin: using AssumeRole (with MFA)
Enter token for arn:aws:iam::1234567890:mfa/theo: ******
2020/02/21 15:31:53 Looking up keyring for 'theo'
2020/02/21 15:31:53 [keyring] Querying keychain for service="aws-vault", account="theo", keychain="aws-vault.keychain"
2020/02/21 15:31:53 [keyring] Found item "aws-vault (theo)"
2020/02/21 15:31:54 Generated credentials ****************4CU3 using AssumeRole, expires in 59m59.298804s
2020/02/21 15:31:54 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2020/02/21 15:31:54 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2020/02/21 15:31:54 Setting subprocess env: AWS_SESSION_EXPIRATION
(redacted output)

$ aws-vault exec sysadmin --debug -- aws s3 ls
2020/02/21 15:32:24 aws-vault v5.3.1
2020/02/21 15:32:24 [keyring] Considering backends: [keychain pass file]
2020/02/21 15:32:24 Loading config file /Users/theo/.aws/config
2020/02/21 15:32:24 Parsing config file /Users/theo/.aws/config
2020/02/21 15:32:24 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:32:24 [keyring] Found 16 results
2020/02/21 15:32:24 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2020/02/21 15:32:24 [keyring] Found 16 results
2020/02/21 15:32:24 profile theo: using stored credentials
2020/02/21 15:32:24 profile theo: skipping GetSessionToken because MFA serial doesn't match profile 'sysadmin'
2020/02/21 15:32:24 profile sysadmin: using AssumeRole (with MFA)
Enter token for arn:aws:iam::1234567890:mfa/theo:

[j0hnsmith]

#520 (comment) has an example of config that should do what you want, although it's subject to change depending on the outcome of that issue.

[mtibben]

The issue is that our mfa caching isn't kicking in (see the skipping GetSessionToken because... log line)

There are 2 underlying issues

1. we're not caching roles
2. inferring when to use GetSessionToken is a tricky, and needs further improvement

I'm working on a fix to those, but in the meantime there is a simple fix - add mfa-serial to your theo profile. That will will cause the GetSessionToken to kick in to cache the MFA session, without any effect to readonly or dev

[iconara]

Adding mfa_serial to the theo role does indeed solve my problem. A little counter-intuitively it does not require me to type MFA codes when I use the readonly and dev profiles – but this is exactly how I wanted the setup to work. Thank you.

[mtibben]

I believe this should be fixed in #569. Let me know if it's not

[M1ke]

@mtibben came here with a similar issue. Just upgraded from (I think) 4.x where I was used to my MFA role being cached for 9 hours. On 5.x any duration >1h prevented caching which felt like a big regression. However have now moved to the 6.x beta release and it seems to cache it fine, so thanks for the update!

[mtibben]

Great, glad v6 is working out for you