Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI: Not prompting for MFA code with AWS_PROFILE envar after CDK v2.167.0 / SDK v3 #32312

Closed
1 task done
bwg opened this issue Nov 27, 2024 · 3 comments · Fixed by #32313
Closed
1 task done

CLI: Not prompting for MFA code with AWS_PROFILE envar after CDK v2.167.0 / SDK v3 #32312

bwg opened this issue Nov 27, 2024 · 3 comments · Fixed by #32313
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p0 package/tools Related to AWS CDK Tools or CLI potential-regression Marking this issue as a potential regression to be checked by team member

Comments

@bwg
Copy link

bwg commented Nov 27, 2024

Describe the bug

When using an IAM profile/role that requires multi-factor authentication in the AWS_PROFILE envar, the CDK CLI is not prompting for the MFA code, resulting in a missing credentials error.

[09:26:47] Error: Need to perform AWS calls for account ***, but no credentials have been configured

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.166

Expected Behavior

The CDK CLI should prompt for a MFA code when a profile that requires MFA is set in the AWS_PROFILE envar

Current Behavior

The CDK CLI is unable to prompt because it does not have a MFA callback handler:

[09:49:12] Resolving default credentials
[09:49:12] Unable to determine the default AWS account (CredentialsProviderError): Profile *** requires multi-factor authentication, but no MFA code callback was provided.

Reproduction Steps

in ~/.aws/.config, create a profile that requires MFA

[profile mfa-test]
duration_seconds = 43200
mfa_serial = arn:aws:iam::***:mfa/***
output = json
region = us-east-1
role_arn = arn:aws:iam::***:role/***
source_profile = ***

then export that profile to the AWS_PROFILE envar

> export AWS_PROFILE=mfa-test

now run any cdk command that performs AWS calls:

> cdk bootstrap
 ⏳  Bootstrapping environment aws://***/us-east-1...
 ❌  Environment aws://***/us-east-1 failed bootstrapping: Error: Need to perform AWS calls for account ***, but no credentials have been configured

Possible Solution

No response

Additional Information/Context

passing the --profile argument to the CDK CLI does prompt for MFA credentials

> cdk bootstrap --profile=infra
MFA token for arn:aws:iam::***:mfa/***:

The logs when using --profile

[10:29:07] Resolving default credentials
[10:29:07] Require MFA token for serial ARN arn:aws:iam::***:mfa/***

vs. logs when using AWS_PROFILE

[09:49:12] Resolving default credentials
[09:49:12] Unable to determine the default AWS account (CredentialsProviderError): Profile *** requires multi-factor authentication, but no MFA code callback was provided.

when using AWS_PROFILE the log message does identify the correct profile

CDK CLI Version

2.171.0 (build 4957967)

Framework Version

No response

Node.js Version

v20.12.2

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response
@bwg bwg added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 27, 2024
@github-actions github-actions bot added package/tools Related to AWS CDK Tools or CLI potential-regression Marking this issue as a potential regression to be checked by team member labels Nov 27, 2024
@rix0rrr rix0rrr added the p0 label Nov 27, 2024
rix0rrr added a commit that referenced this issue Nov 27, 2024
@rix0rrr
fix: MFA code is not requested when $AWS_PROFILE is used
da74ab4 
We only passed in the `mfaCode` function if we got a profile
from `--profile`, not when configured using `$AWS_PROFILE`.

Fixes #32312.
@rix0rrr rix0rrr mentioned this issue Nov 27, 2024
Merged
@ashishdhingra
Copy link
Contributor

Pr #32313 pending merge.

@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 27, 2024
@mergify mergify bot closed this as completed in #32313 Nov 28, 2024
@mergify mergify bot closed this as completed in 6458439 Nov 28, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p0 package/tools Related to AWS CDK Tools or CLI potential-regression Marking this issue as a potential regression to be checked by team member
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cli): mfa code is not requested when $AWS_PROFILE is used aws/aws-cdk
3 participants
@rix0rrr @bwg @ashishdhingra