leapp
leapp copied to clipboard
Noovolari
Bug with creating aws_session_token for IAM User credentials without MFA
Describe the bug
Sessions created AWS IAM User Provider and without MFA have trouble accessing IAM resources. One obvious difference to other sessions is that the aws_session_token has quotes around it.
Leapp Version 0.9.0
To Reproduce Steps to reproduce the behavior:
- Add a new Session in Leapp (AWS, IAM User)
- Fill in credentials for user with full access to all AWS resources, but no MFA enabled.
- Start the newly created session
- Inside
.aws/credentialsthere should be an entry withaws_session_token="..." - Try to access your own user
aws iam get-user --user-name XXX --profile YYY - Receive error:
An error occurred (InvalidClientTokenId) when calling the GetUser operation: The security token included in the request is invalid
Expected behavior The user information is fetched and shown in the console
Desktop (please complete the following information):
- OS: macOS
- OS Version 12.2.1
- Leapp Version 0.9.0
Additional context I tried the same AWS command with the same base credentials, but without temporary credentials and that works.
Hi @deiga, I'm pretty sure your issue is related to what the get-session-token documentation says:
The temporary security credentials created by GetSessionToken can be used to make API calls to any Amazon Web Services service with the following exceptions: You cannot call any IAM API operations unless MFA authentication information is included in the request. You cannot call any STS API except AssumeRole or GetCallerIdentity .
@ericvilla That is a very good point! But I still consider it a bug in Leapp, since I don't have any way not to use temporary credentials
I just ran into the exact same issue, so I added my MFA device to the AWS IAM User configuration. However, I'm not prompted for an MFA code for some reason.
Hi @jalaziz the MFA device should work, are you sure you have pasted the correct AWS mfa device arn?
I just ran into the exact same issue, so I added my MFA device to the AWS IAM User configuration. However, I'm not prompted for an MFA code for some reason.
@jalaziz I realize this is old but I was running into the same problem. I had to delete the session and re-create it with the MFA device and after that it prompted me for a code.
Interestingly enough, it randomly started working for me after a few tries. I didn't do anything special before it started working. 🤷🏼
We can add this info to the documentation and check the IAM user edited with MFA to close the issue:
The temporary security credentials created by GetSessionToken can be used to make API calls to any Amazon Web Services service with the following exceptions: You cannot call any IAM API operations unless MFA authentication information is included in the request. You cannot call any STS API except AssumeRole or GetCallerIdentity .
@andreacavagna01 we definitely have to add the following AWS docs snippet to our documentation:
The temporary security credentials created by GetSessionToken can be used to make API calls to any Amazon Web Services service with the following exceptions: You cannot call any IAM API operations unless MFA authentication information is included in the request. You cannot call any STS API except AssumeRole or GetCallerIdentity .
Two issues can be extracted from this thread:
- @deiga refers to the possibility to use IAM Users' long-term credentials (instead of generating temporary ones);
- to solve @jalaziz and @rudeluv issue, we've to invalidate the IAM User-related session token from the system keychain (this token is cached and used until it is expired).
@deiga is there a particular reason why you want Leapp to use IAM User's long-term credentials?
@ericvilla This relates to legacy IAM users that don't have MFA. They are used in automation like Terraform. At the time of opening this, I couldn't find a way to use MFA with Terraform and now I haven't looked into that in a while.