granted icon indicating copy to clipboard operation
granted copied to clipboard

Published 20 hours ago verified publisher icon common-fate

MFA with chained roles with IAM credentials

Open shwethaumashanker opened this issue 1 year ago • 1 comments

MFA with chained roles with IAM credentials does not work as expected. Set up to reproduce the error:

[profile testing]
role_arn       = arn:aws:iam::616777145260:role/example-role
region         = us-west-2
source_profile = testmfa2

[profile testmfa2]
region             = us-west-2
mfa_serial         = arn:aws:iam::616777145260:mfa/Duo-shwetha
credential_process = granted credential-process --profile=testmfa2

❯ assume testing [✘] operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: ec58cdde-7f57-4dcf-b466-b6990cec9c9d, api error InvalidClientTokenId: The security token included in the request is invalid.

It does not correctly recognize that it has to prompt for MFA

shwethaumashanker avatar Nov 30 '23 23:11 shwethaumashanker

I think you have your config reversed. It works for me wtih

[profile lxk-iam]
region             = us-east-1
credential_process = granted credential-process --profile=lxk-iam

[profile lxk-sandbox]
role_arn       = arn:aws:iam::000000000000:role/@Global_Administrator
source_profile = lxk-iam
region         = us-east-1
mfa_serial     = arn:aws:iam::111111111111:mfa/mfa-cli

❯ assume lxk-sandbox
? MFA Token

jim-weller avatar Feb 05 '24 21:02 jim-weller