terraforming + MFA

[jaypatrickhoward]

Anybody gotten it to work with MFA? I have the MFA serial specified in my AWS credentials under the "mfa_serial" tag, but when I run terraforming I get:

/Library/Ruby/Gems/2.3.0/gems/aws-sdk-core-3.24.1/lib/seahorse/client/plugins/raise_response_errors.rb:15:in 'call': MultiFactorAuthentication failed, must provide both MFA serial number and one time pass code. (Aws::STS::Errors::AccessDenied)

Where might one specify the one-time pass code? Command line? Environment variable? Should I expect to be prompted?

[hickeycm]

@jaypatrickhoward I've been successfully running terraforming with MFA-enabled AWS credentials using AWS profiles, but I have to manually roll the MFA temporary credentials since terraforming doesn't appear to support passing MFA token codes. It's not an ideal workflow, but it works. I'm starting to look at tooling to ease this workflow, such as aws-mfa.

Your AWS profiles credentials file would look like this:

[mfa]
aws_access_key_id = <mfa_temporary_access_key>
aws_secret_access_key = <mfa_temporary_secret_access_key>
aws_session_token = <mfa_temporary_session_token>

From there, I have a script that runs terraforming across all our regions and passes in the profile name to each invocation of terraforming with the --profile mfa flag.

[theaboutbox]

I've found the best way to handle MFA with both Terraform, and this tool, is to configure the CLI to assume a role via MFA [1], and then use a tool like aws-vault to set the appropriate environment variables [2] when invoking terraforming.

[1] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa [2] https://github.com/99designs/aws-vault