configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

MFA/2fa support.

Open seivan opened this issue 3 years ago • 17 comments

Is there any way to use the new workflow input features to request for a 2fa code when getting temporary credentials and put them in during the steps?

seivan avatar Mar 03 '21 17:03 seivan

@seivan, Thank you for your question. May I know why assuming a role with this action doesn't work for you?

paragbhingre avatar Mar 05 '21 20:03 paragbhingre

@paragbhingre Does that allow for external confirmation via 2FA? It just seems like it uses a set of credentials to get access to another set of credentials where the only redeeming factor is the time-limit so they're temporary, which has value, but not exactly 2FA.

Would be nice if we could use a virtual MFA (say Google Authenticator) before the steps as an input using something like https://github.com/peter-evans/slash-command-dispatch

seivan avatar Mar 05 '21 21:03 seivan

@seivan can you describe the kind of user experience you're looking for here? We envision this action executing in workflows driven by programmatic events (e.g., pushes to a repo), which don't typically require or lend themselves well human intervention (like entering a 2FA code), but I could be missing something?

allisaurus avatar Mar 09 '21 23:03 allisaurus

@seivan can you describe the kind of user experience you're looking for here? We envision this action executing in workflows driven by programmatic events (e.g., pushes to a repo), which don't typically require or lend themselves well human intervention (like entering a 2FA code), but I could be missing something?

No, you got it right! 👍🏼 That's exactly what am looking for. And I half-agree with you... for every branch except master :-)

With the recent issues, I would say it's time to enable and promote 2FA for letting the CI access your AWS account that enables it to modify or create resources.

The part I disagree with it is human intervention does not lend itself, there is several aspects in a deployment pipeline you might want a human to approve or review changes to resources, like a canary to production. For Github Enterprise they added Workflow Events that gives you an UI to add input parameters to start Workflows. But that's not related to the topic at hand

seivan avatar Mar 10 '21 12:03 seivan

there is several aspects in a deployment pipeline you might want a human to approve or review changes to resources

@seivan I agree with this! Manual approvals in a pipeline, etc., make perfect sense in lots of situations. But MFA is typically used as an extra layer of security for human users authenticating via a web portal, so I'm having trouble picturing what actions your GitHub workflow may need to take which would require it. Are you perhaps trying to assume a role which requires MFA? It that case we could potentially provide SerialNumber and TokenCode input fields to this action. Would that help, or are you trying to do something different?

allisaurus avatar Mar 23 '21 18:03 allisaurus

@allisaurus Let me rephrase it. As of today with the current setup, if your keys to assume a role that has any form of permission to CRUD your production resources get compromised without you knowing means you are shit out of luck.

Adding 2FA as a step before the CI can assume said role makes those keys worthless as the human component is missing. The CI has knowledge (token) to assume a role, but it should also require possession to generate a one time token.

make perfect sense in lots of situations.

And the opposite is true; there is no situation where a CI should create/deploy production without a one time 2FA auth token generated by a human with a secure device, if that's virtual (iPhone, e.g Google Authenticator.app ) or physical hardware, is a different topic, we use virtual.

Right now we have to keep updating Github Organization secrets each time with our OTP everytime we want to deploy, which is cumbersome and error prone.

seivan avatar Mar 23 '21 19:03 seivan

Adding a more general take on this issue (feel free to ignore if it derails the conversation).

If an organization wants/needs another layer of security to limit the impact of the exposure of IAM user access keys is there an approach that would work with Github Actions? MFA is problematic as it generally requires a human. IP address restriction is also challenging given the 1600 IP ranges for Github hosted runners.

Are there any other options?

dtlaycock avatar Mar 23 '21 21:03 dtlaycock

@dtlaycock Yeah, run it on your own hardware that you control and host your keys on SSM. Regardless, the security impact of token loss (feel free to correct me) is nil if it requires human auth. Not saying you can do no wrong, I mean you could obviously auth a hostile user if you don't pay attention.

My concern is mostly if tokens get exposed somewhere (logs, etc) becomes moot as they are essentially worthless on their own.

seivan avatar Mar 23 '21 21:03 seivan

@seivan there's a couple things going on here, but to go back to your original question:

Is there any way to use the new workflow input features to request for a 2fa code ?

Which "workflow input features" are you referring to specifically? My information may be dated, but as far as I'm aware the only way to supply a GitHub action with inputs is via named input fields. Through what means do you want to be prompted for and supply a 2fa code?

allisaurus avatar Mar 30 '21 04:03 allisaurus

@allisaurus That's up to you.

There are several options, though some require Github Enterprise

You could start with https://github.com/peter-evans/slash-command-dispatch and eventually integrate it with Slack or Discord to get prompted to input a token.

I apologize, I think you mentioned something earlier and I must have missed it!

It that case we could potentially provide SerialNumber and TokenCode input fields to this action. Would that help, or are you trying to do something different?

This could actually be useful, if you could use the AWS CLI with just TokenCode then that would be a good start, no?

seivan avatar Mar 30 '21 13:03 seivan

You could start with https://github.com/peter-evans/slash-command-dispatch and eventually integrate it with Slack or Discord to get prompted to input a token.

So directly integrating with or taking a dependency on a third party (non-Amazon) action is something I don't foresee us being able to do, but we can take a look at what other options native to GitHub actions we might be able to leverage or recommend to users. To @dtlaycock 's point, I think we do lack explicit guidance on how workflow authors might further lock down this action (or others), and that's a more general gap we should try to address.

Switching the label on this to a feature request as adding support for SerialNumber and TokenCode inputs is something we could feasibly do to help folks leverage MFA with this action. Thanks v much for the discussion here! I think we're closer to being able to offer folks more options w/r/t authenticating calls to AWS.

allisaurus avatar Apr 08 '21 16:04 allisaurus

@allisaurus I am not asking AWS to use a third party action.

That was just an example on how to provide the generated token.

Correct me if I am wrong, but as of now there is no way to supply a generated token to AWS without modifying env variables? More importantly there is no way to use generated tokens?

Am I wrong? This is a security issue more than anything, because expecting to give CRUD access to a CI with tokens that can be used if exposed is somewhat dangerous. Doesn't matter if it's to assume role of something higher privileged or not.

I don't mind exposing burnable one time for a specific moment in time, but having them set permanently for production environment is a bit much.

Switching the label on this to a feature request as adding support for SerialNumber and TokenCode inputs is something we could feasibly do to help folks leverage MFA with this action. Thanks v much for the discussion here! I think we're closer to being able to offer folks more options w/r/t authenticating calls to AWS.

Yes, this is what I am asking for.

The ability to supply them outside of hard coded env variables, the third party action (or slack/discord approach) where just examples. I hope that's clear!

seivan avatar Apr 08 '21 16:04 seivan

I just want to voice my support for this feature request and hope someone is able to get this working as our team is facing the same problem (and organizational requirements)

DavidVaness avatar May 27 '21 12:05 DavidVaness

I came across this requirement today also and I agree that adding support for SerialNumber and TokenCode inputs is probably the best approach.

dtuite avatar Jul 14 '21 10:07 dtuite

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

github-actions[bot] avatar Oct 01 '22 04:10 github-actions[bot]

I just wanted to share this in case it helps. You can use https://github.com/step-security/wait-for-secrets GitHub Action to enter MFA tokens during a GitHub Actions workflow. Developers can enter secrets using a web browser and use them in the workflow.

varunsh-coder avatar Dec 09 '22 16:12 varunsh-coder

I am also interested in this implemented. My case is when calling GitHub action from third party app via workflow_dispatch.

stojce avatar Feb 13 '23 10:02 stojce