aws-toolkit-jetbrains icon indicating copy to clipboard operation
aws-toolkit-jetbrains copied to clipboard
verified publisher icon aws

Dialog to enter MFA code is not popping up

Open nraddy opened this issue 5 years ago • 9 comments

https://github.com/aws/aws-toolkit-jetbrains/blob/7bb1c9df12f95be9783dd1564b1070731e9962ea/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/MfaSupport.kt#L23

  • A reproducible test case or series of steps Install AWS toolkit, have AWS accounts (one for self, another one on which self account assumes role) in the config file ~/.aws/config

  • The version of the plugin being used, which JetBrains IDE being used (and version)

JetBrains IDE version:

IntelliJ IDEA 2020.3 (Ultimate Edition) Build #IU-203.5981.155, built on November 30, 2020 Runtime version: 11.0.9+11-b1145.21 x86_64 VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o. macOS 10.15.7 GC: ParNew, ConcurrentMarkSweep Memory: 1979M Cores: 16 Non-Bundled Plugins: IdeaVIM, Key Promoter X, com.intellij.ideolog, org.intellij.plugins.hcl, uk.co.ben-gibson.remote.repository.mapper, tech.central.ai.awstail, training, JMeter plugin, String Manipulation, call-graph, com.dmarcotte.handlebars, aws.toolkit, com.viartemev.requestmapper, com.google.gct.core, com.intellij.plugins.html.instantEditing, org.intellij.scala

AWS toolkit version: 1.22-203

  • Anything unusual about your environment (e.g. recently installed plugins etc.) Nope. I have been trying to get AWS toolkit working for past 2 months (even tried in prev versions of IDE & plugin) unsuccessfully. I searched around and tried few workarounds and suggestions, but none helped.

The window to input "MFA Code" is not popping up. I didn't find any error either in IDE logs related to popping up a window, only that the assumeRole failed. I expect that to happen as I have not authenticated using MFA yet.

nraddy avatar Dec 02 '20 23:12 nraddy

I am not able to reproduce this,

Here is my setup: ~/.aws/config

[profile mfaUser]
aws_access_key_id = <ACCESS_KEY>
aws_secret_access_key = <SECRET_KEY>

[profile mfaRole]
role_arn = arn:aws:iam::<ID>:role/mfa_role
source_profile = mfaUser
mfa_serial = arn:aws:iam::<ID>:mfa/mfa-test

Does yours look the same?

abrooksv avatar Dec 03 '20 01:12 abrooksv

Apologies for the delay! Thank you for the prompt response. My ~/.aws/config looks like:

[default]
mfa_serial=arn:aws:iam::<ID>:mfa/<username>
region=us-east-2
[profile <account name>]
region=us-east-1
source_profile=default
parent_profile=default

and my ~/.aws/credentials looks like:

[default]
aws_access_key_id = <ACCESS_KEY>
aws_secret_access_key = <SECRET_KEY>

I will try your suggestion and see if I am able to get it working.

nraddy avatar Dec 08 '20 05:12 nraddy

I figured out the issue - I had to replicate "mfa_serial" under [default] profile to each of the profiles for the IntelliJ IDE to ask me for mfa.

If anything needs to be fixed, the "mfa_serial" should be read from "source_profile" instead.

This is the change I made, added the line highlighted by ** below (of course without ** in the actual file):

[default]
mfa_serial=arn:aws:iam::<ID>:mfa/<username>
region=us-east-1
[profile <account name>]
region=us-east-1
source_profile=default
parent_profile=default
**mfa_serial=arn:aws:iam::<ID>:mfa/<username>**

nraddy avatar Dec 08 '20 06:12 nraddy

I have 25 profiles in the config file, so I had to copy "mfa_serial" to each of the profiles for IDE to ask me for MFA :(

I am happy that at least your response helped me to identify the solution. I would like to see this info added to one of FAQ / help pages for anyone else like me who run into this problem. (best solution would be to fix the plugin to read "mfa_serial" from "source_profile" itself).

Please let me know if you have a suggestion.

nraddy avatar Dec 08 '20 06:12 nraddy

We require that the mfa_serial must be a sibling to the source_profile key when assuming roles.

https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles documents this,

Sorry for the inconvenience, but changing this behavior would require changing it for all the SDKs and updating our internal profile file specification.

abrooksv avatar Dec 08 '20 17:12 abrooksv

That's a reasonable explanation not to branch out the logic for the toolkit. Would it help to add an example config with mfa_serial somewhere in the documentation? I strongly think it would. It was not clearly understandable from that documentation that even if "mfa_serial" is specified under "source_profile", it needs to be added again explicitly as a sibling to "source_profile" for each profile when assuming roles.

I read that documentation you linked, but until I saw the example config you pasted above, I did not catch the issue. Since I had the mfa_serial under "source_profile", I did not make the connection to declare it under each profile again to assume roles.

At this point, I am comfortable closing this issue. Please let me know if it would help to keep this open to track the documentation update.

nraddy avatar Dec 08 '20 21:12 nraddy

Sorry to reopen this but I'm having the same issue my config

[default]
region = eu-west-2

[profile EngineeringTest]
source_profile = default
region = eu-west-1
mfa_serial = arn:aws:iam::<id>:mfa/James.Mahy

When I switch the AWS profile at the bottom nothing pops up

If I close and reopen the project with "AWS explorer" open it'll show me a button to Enter MFA code pressing that doesn't show me a popup instead it shows me the resource types but of course clicking in to a folder it tells me I don't have access

JamesMahy avatar Feb 20 '22 10:02 JamesMahy

I met the same issue now

zalejus avatar Oct 12 '22 07:10 zalejus

This is still an issue :(

landsman avatar Oct 23 '23 17:10 landsman