granted icon indicating copy to clipboard operation
granted copied to clipboard
verified publisher icon common-fate

--mfa-token not registering from CLI, only from prompt

Open jimweller opened this issue 1 year ago • 5 comments

The --mfa-token switch does not seem to work when using a source_profile. But it does work by inputting it on the prompt.

Below I use the TOTP seed to generate an OTP. I call assume with the --mfa-token switch, but assume still prompts for an OTP. The --mfa-token does not seem to register the OTP parameter. But the OTP works by putting it in the prompt.

❯ export OTP=$(echo 0000O73YQPSHRX6DNWOCD6| totp-cli instant) && echo $OTP
743051
❯ assume lxk-sandbox --mfa-token 743051
? MFA Token 743051
[✔] [lxk-sandbox](us-east-1) session credentials will expire in 1 hour

My profiles look like

[profile lxk-iam]
region             = us-east-1
credential_process = granted credential-process --profile=lxk-iam

[profile lxk-sandbox]
role_arn       = arn:aws:iam::00000000000:role/@Global_Administrator
source_profile = lxk-iam
region         = us-east-1
mfa_serial     = arn:aws:iam::111111111111:mfa/mfa-cli

jimweller avatar Feb 05 '24 22:02 jimweller

I should probably mention that the lxk-iam profile, the source_profile, is not SSO. It's ACCESS_KEY/SECRET.

jimweller avatar Feb 05 '24 22:02 jimweller

It does work with the --chain switch.

assume --mfa-token $OTP --chain lxk-sandbox lxk-iam

jimweller avatar Feb 06 '24 01:02 jimweller

Version: 0.20.7

jimweller avatar Feb 06 '24 14:02 jimweller