botocore icon indicating copy to clipboard operation
botocore copied to clipboard

Published 20 hours ago verified publisher icon boto

Support MFA refreshing

Open IvoMerchiers opened this issue 6 years ago • 6 comments
trafficstars

Problem

When Multi-factor-authentication (MFA) credentials expire, boto makes no attempt to refresh them, but immediately throws the error: RefreshWithMFAUnsupportedError: Cannot refresh credentials: MFA token required.

Relevant code

This is due to the refresher not being implemented yet. https://github.com/boto/botocore/blob/c6ebb3be3acc946e3b706333294320dc7e304dd7/botocore/credentials.py#L222-L238

Proposed solution

Implement the suggestion proposed in the refresher.

Some context

For context: I use boto3 with MFA in a Jupyter notebook (through s3fs). If I wait too long between making 2 calls, I get the error. As a result I have to restart my entire kernel, which can result in a big loss of time.

IvoMerchiers avatar Aug 09 '19 08:08 IvoMerchiers

@IvoMerchiers - Thank you for your post. I would mark this as a feature request.

swetashre avatar Aug 12 '19 22:08 swetashre

@swetashre Is there any way to see a roadmap/timeline for such features? Or even to have an idea of whether this is being worked on?

Because this is quite a hassle in long-running processes now.

IvoMerchiers avatar Feb 19 '20 12:02 IvoMerchiers

As IvoMerchiers mentioned, restarting the kernal in jupyter will allow you to manually force the mfa refresh request when your session times out.

monkut avatar May 29 '20 04:05 monkut

I just run into this issue as well. While I can restart the jupyter kernel to refresh the mfa, it is not ideal, especially if running a long process. Any updated on this issue?

othrif avatar Oct 27 '20 21:10 othrif

Any update on this feature?

mfoglio avatar Aug 22 '23 19:08 mfoglio

Here's a work around I implemented. This will prompt for a MFA token when the current temporary credentials are close to expiring (the default advisory expiration period in boto3 is 900 seconds).

Given how simple this implementation appears I don't understand why this isn't already implemented in core. Perhaps there are some edge cases that make this option sub-optimal. For my use-cases, this is working so far.

def fix_boto_assume_role_with_mfa_refresh(session):
    credentials = session.get_credentials()
    real_refresh = getattr(credentials._refresh_using, '_refresh', None)
    if callable(real_refresh):
        credentials._refresh_using = real_refresh

Example usage:

import boto3
session = boto3.Session()
fix_boto_assume_role_with_mfa_refresh(session)
ec2 = session.client('ec2')

The effect of the above hack is to remove the following lines:

https://github.com/boto/botocore/blob/34adb1efcb6f7f94787d2deb54d7163e17dfbfb2/botocore/credentials.py#L1528-L1529

kylegibson-rldatix avatar Mar 25 '24 15:03 kylegibson-rldatix