Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve signposting of IAM api call restrictions #1057

Merged
merged 1 commit into from
Oct 19, 2022
Merged

Improve signposting of IAM api call restrictions #1057

merged 1 commit into from
Oct 19, 2022

Conversation

ChristopherHackett
Copy link
Contributor

PR related to #1056

  • Flag issue during 'Rotating credentials' section
  • Expand 'Temporary credentials limitations with STS, IAM' with 1) error user will encounter, 2) mitigations
  • ?correct? possible existing type in 'MFA' section (however I'm unsure if the entire sentence is valid)

@ChristopherHackett
Improve signposting of IAM api call restrictions
94e6215 
PR related to 99designs#1056

* Flag issue during 'Rotating credentials' section
* Expand 'Temporary credentials limitations with STS, IAM' with 1) error user will encounter, 2) mitigations 
* ?correct? possible existing type in 'MFA' section (however I'm unsure if the entire sentence is valid)
@mtibben
Copy link
Member

mtibben commented Oct 19, 2022

Thanks @ChristopherHackett

@mtibben mtibben merged commit 3eaf743 into 99designs:master Oct 19, 2022
@ChristopherHackett ChristopherHackett deleted the patch-1 branch October 21, 2022 15:04
sftim
sftim reviewed Feb 23, 2023
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A post-merge review. No need to redo anything.

USAGE.md
Comment on lines +379 to +382
```shell
$ aws-vault exec <iam_user_profile> -- aws iam get-user
An error occurred (InvalidClientTokenId) when calling the GetUser operation: The security token included in the request is invalid
```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't a valid shell script - watch out for marking it as one.

USAGE.md
An error occurred (InvalidClientTokenId) when calling the GetUser operation: The security token included in the request is invalid
```

For restricted IAM operation you can add MFA to the IAM User and update your ~/.aws/config file with [MFA configuration](#mfa). Alternately you may avoid the temporary session entirely by using `--no-session`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For restricted IAM operation you can add MFA to the IAM User and update your ~/.aws/config file with [MFA configuration](#mfa). Alternately you may avoid the temporary session entirely by using `--no-session`.
If you configure MFA for your the IAM user and update your ~/.aws/config file with [MFA configuration](#mfa)
then AWS does not apply those restrictions. For some operations, you can instead use the long-term
credentials (skipping use of a session) by using the `--no-session` option to `aws-vault`.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sftim sftim sftim left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ChristopherHackett @mtibben @sftim