boto
Default to input() instead of getpass() to fetch MFA credentials
Currently in botocore/credentials.py class AssumeRoleCredentialFetcher the default mfa_prompter is getpass.getpass():
self._mfa_prompter = mfa_prompter
if self._mfa_prompter is None:
self._mfa_prompter = getpass.getpass
This is unusual in that MFA authentication user input normally displays the numeric MFA code as it's typed (see, for example, the AWS web console login process, and TOTP input for most web sites). This improves user convenience at little security risk since the codes, if reusable at all, are usable only for a very short time.
Further, using getpass() is not completely reliable. In some environments, such as a Python script running from the MinGW Bash shell provided with Git for Windows, getpass() doesn't work and instead silently wedges both the script and the window within which it's running.
I suggest the default mfa_prompter be changed to input(), which works in more situations (such as the one described above) and provides a more user-friendly experience.
As an aside, I'd also like to know how a different mfa_prompter could be set within a program that's calling boto3.session.get_session().client('sts').assume_role(); it's not obvious to me from reading the code how this would be done.
I understand your reasoning, but I don't think we would ever change this default.
As for your second question, the mfa_prompter isn't something that can be externally configured. I could see this being useful as it would allow arbitrary MFA sources. Marking as a feature request to allow a custom MFA prompter.
Adding the ability to change the mfa_prompter when using the boto3 library will do the trick for me.
But I'm curious as to why the default is set this way (there's no explanation in commit 6e13977f1 which is I think it originated) and why it wouldn't be changed to match the way AWS console (and in fact every other MFA code system I've ever seen) does it.
Greetings! It looks like this issue hasn’t been active in longer than one year. We encourage you to check if this is still an issue in the latest release. Because it has been longer than one year since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment to prevent automatic closure, or if the issue is already closed, please feel free to reopen it.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
The issue is still here; there's been no explanation of why, unlike AWS console (and pretty much every other program in the world that uses MFA tokens) this program must not make visible to the user what he is typing.
Greetings! It looks like this issue hasn’t been active in longer than one year. We encourage you to check if this is still an issue in the latest release. Because it has been longer than one year since the last update on this, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.
As far as I can tell, the issue is still there, with no explanation of why this must work differently from every other MFA system including other AWS MFA systems.
To remind you again, this is not just about being different, but that in this particular circumstance the instance on being different makes the prompt break sometimes and not accept input.
Greetings! It looks like this issue hasn’t been active in longer than one year. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.