support multi-factor authentication on AWS

[notestaff]

I feel uncomfortable storing in my config file AWS keys that can be used without multi-factor authentication. AWS lets you create an IAM user with a security policy that requires recent multi-factor authentication to permit API calls. Could you add support for that? To start any new cluster instances the user would just need to provide a 6-digit code from their MFA device. Thanks a lot!

[riccardomurri]

Good point, I guess this would be the AWS part of #194

Can you point me to the AWS documentation for the feature you would like to see implemented?

[notestaff]

it's like this:

mfa_code = sys.argv[1] mfa_device_id = 'arn:aws:iam::AWS_ACCT_NUMBER:mfa/IAM_USER_NAME'

def get_session_info(): sts_client = boto3.client('sts') sts_response = sts_client.get_session_token( DurationSeconds=900, SerialNumber=mfa_device_id, TokenCode=mfa_code ) creds = sts_response.pop('Credentials') print(sts_response) return dict(aws_access_key_id=creds['AccessKeyId'], aws_secret_access_key=creds['SecretAccessKey'], aws_session_token=creds['SessionToken'])

session_info = get_session_info()

ec2_client = boto3.client('ec2', **session_info) ec2_resource = boto3.resource('ec2', **session_info)

[notestaff]

https://boto3.readthedocs.io/en/latest/reference/services/sts.html#STS.Client.get_session_token

[notestaff]

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sample-policies.html