New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to authenticate using AWS Account with MFA enabled #2356
Comments
I noticed something similar, may or may not be the same issue. In my case the user and its MFA are defined in an account aaaaaaaaaaaaa and the assumed role is in another account, bbbbbbbbbbbb.
gives My AWS config looks like this, and it works well with AWS CLI:
|
In my setup I didn't specify the MFA serial in the Go code, since I had it in my profile. And I think most people use profiles set in the environment rather than hardcoding them in code anyway. So my code was something like this:
And got errors with a profile that has both mfa_serial and another source_profile assumed with IAM role
As a workaround I built this alternative MFA tool that runs as a credentials provider for my profile: |
Hi @RanVaknin, My Code:package main
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/sts"
)
func main() {
cfg, err := config.LoadDefaultConfig(context.TODO(),
config.WithClientLogMode(aws.LogRequestWithBody|aws.LogResponseWithBody),
config.WithSharedConfigProfile("sdu-dev-infra"),
)
if err != nil {
log.Fatalf("unable to load SDK config, %v", err)
}
stsClient := sts.NewFromConfig(cfg)
roleArn := "arn:aws:iam::765139991506:role/bea-platform-sre-iam-role"
mfaSerialNumber := "arn:aws:iam::393751483396:mfa/Yuvi-Mobile"
tokenCode := "022049" // 6 digit code supplied by google Authenticator app
assumeRoleInput := &sts.AssumeRoleInput{
RoleArn: &roleArn,
RoleSessionName: aws.String("session-name"),
SerialNumber: &mfaSerialNumber,
TokenCode: &tokenCode,
}
out, err := stsClient.AssumeRole(context.TODO(), assumeRoleInput)
if err != nil {
log.Fatalf("unable to assume role, %v", err)
}
fmt.Println(*out.AssumedRoleUser.Arn) // logs arn:aws:sts::REDACTED:assumed-role/mfa-role/session-name
} Error Message:
AWS Config
AWS CREDENTIALS
AWS CLII also tested with AWS CLI as you mentioned but I passed the profile along with it. And, it worked perfectly fine. aws iam get-role --role-name $role_name --profile $profile {
"Role": {
"Path": "/",
"RoleName": "ROLE_NAME",
"RoleId": "ROLE_ID",
"Arn": "arn:aws:iam::ROLE_NUMBER:role/ROLE_NAME",
"CreateDate": "YYYY-MM-DDTHH:MM:SS+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "idassume",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NUMBER:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
},
"Description": "ROLE DESCRIPTION",
"MaxSessionDuration": 3600,
"RoleLastUsed": {
"LastUsedDate": "YYYY-MM-DDTHH:MM:SS+00:00",
"Region": "eu-west-1"
}
}
}
PYTHON BOTO3The same above setup works fine with boto3 as well using the below code.
The above python method can be called and it is working like a charm. |
Do you have any updates on this? |
Hi Team, |
Describe the bug
I'm trying to authenticate to an AWS account that has MFA enabled. But, I'm not able to do so because it's throwing error. Also, I'm not getting any examples or clear documentation for performing it.
I'm following the example mentioned in the official docs.
But, I'm not able to authenticate and I'm getting the below error always despite passing the MFA code.
Expected Behavior
Successfully authenticated to the AWS account.
Current Behavior
I'm not able to authenticate and I'm getting the below error always despite passing the MFA code.
Reproduction Steps
Possible Solution
Additional Information/Context
No response
AWS Go SDK V2 Module Versions Used
Compiler and Version used
go version go1.21.3 darwin/arm64
Operating System and version
Mac OS - Ventura - 13.6.1
The text was updated successfully, but these errors were encountered: