Assume role and MFA support for Serverless CLI #5432
Conversation
This sets the AWS_SDK_LOAD_CONFIG environment variable which allows AWS SDK to read ~/.aws/config, and implements the tokenCodeFn callback which asks the user to enter a MFA code. Credentials are also cached to avoid creating the object multiple times, which makes MFA work properly when multiple requests are made. With these changes Serverless Framework should be compatible with AWS CLI, so that these instructions for assuming a role work out-of-the-box: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
There was a problem hiding this comment.
Looks great @kennu! Just a small tweak, it'd be better if the cached creds were an instance variable rather than a global. I've tested that it still works that way, so feel free to just click enable "Allow edits from maintainers" for this PR and I'll push my change.
|
|
||
| const constants = { | ||
| providerName: 'aws', | ||
| }; | ||
|
|
||
| PromiseQueue.configure(BbPromise.Promise); | ||
|
|
||
| // Store credentials in this variable to avoid creating them several times (messes up MFA). | ||
| let cachedCredentials = null; |
There was a problem hiding this comment.
Move to this.cachedCredentials in the AwsProvider's constructor.
There was a problem hiding this comment.
I think [x] Allow edits from maintainers is enabled, should I enable something more to make it work?
There was a problem hiding this comment.
Doh. You're right, I'm just not used to pushing to other peoples repos. Got it now.
and fix lint error
|
I guess the tests are not compatible with environment variable AWS_SDK_LOAD_CONFIG=true. Should I just remove it and have users manually set it? I was hoping to eliminate that step, but I guess it could break backwards compatibility. |
|
I think this solution is probably for the best anyway, don't want to set too many env vars around AWS without the user's input on it. |
|
I guess this still needs some kind of test for the interactive MFA query.. |
|
Yeah, It'd be preferable if that function had coverage. |
|
Thanks for the merge. I've been trying to figure a way to test readline() (stdin / stdout) and AWS MFA, but it's actually pretty complicated in any meaningful way. |
What did you implement:
With these changes Serverless Framework should be compatible with
AWS CLI, so that these instructions for assuming a role work
out-of-the-box:
https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
Related to #5048
How did you implement it:
This sets the AWS_SDK_LOAD_CONFIG environment variable which allows
AWS SDK to read ~/.aws/config, and implements the tokenCodeFn
callback which asks the user to enter a MFA code. Credentials are
also cached to avoid creating the object multiple times, which
makes MFA work properly when multiple requests are made.
How can we verify it:
Deploy any project using an AWS profile that has role_arn, source_profile and mfa_serial configured in ~/.aws/config.
Todos:
Is this ready for review?: YES
Is it a breaking change?: NO