signavio / aws-mfa-login Goto Github PK
View Code? Open in Web Editor NEWsmall CLI tool to do aws with mfa and update credentials in local aws config
License: MIT License
small CLI tool to do aws with mfa and update credentials in local aws config
License: MIT License
newer MacOS have the M1 processor which is based on arm64. So we should support this architecture too
with kubectl client version 1.24 we get following error
error: exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1"
client.authentication.k8s.io/v1alpha1
has been deprecated and since kubernetes version 1.11. v1beta1 has been available since then so we safely can upgrade the client api version
see kubernetes/kubernetes#64482
This is a breaking change since user is required to update to latest aws cli version, more specific >= 1.20.9
or >= 2.2.24
I update to the latest version available and tried to use it.
I just tried to create an update cluster config:
#####
source: SignavioSass_dev
destination: mfa
#####
detected MFA device with serial number arn:aws:iam::291496782177:mfa/alessandro.surace
enter 6-digit MFA code: 646661
Sucessfully update access tokens for profile mfa.
Access will be valid for 11 hours. You can now your profile.
export AWS_PROFILE=mfa
> aws-mfa-login cluster setup
The kube config file is not updated.
we want to assume different roles per cluster which would look like ~/.aws-mfa.yaml
so we can switch the role with kubectx suite-staging
or kubectx suite-staging-debug
source: suite
destination: mfa
clusters:
# staging
- name: eks-staging_eu
alias: suite-staging
accountId: "1234567890"
role: DeveloperAccessRole
region: eu-central-1
- name: eks-staging_eu
alias: suite-staging-debug
accountId: "1234567890"
role: DebugAccessRole
region: eu-central-1
by default this is not possible with cli aws eks update-kubeconfig
see this issue aws/aws-cli#5413 and aws/aws-cli#4079
So this means I would need to implement aws eks update-kubeconfig completly in golang unless this is not merged
When downloading the latest v0.12 release and running a aws-mfa-login --version
, it presents aws-mfa-login version 0.1.1
expecting a 0.12
here.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are awaiting their schedule. Click on a checkbox to get an update now.
github.com/aws/aws-sdk-go-v2
, github.com/aws/aws-sdk-go-v2/config
, github.com/aws/aws-sdk-go-v2/credentials
, github.com/aws/aws-sdk-go-v2/service/eks
, github.com/aws/aws-sdk-go-v2/service/iam
, github.com/aws/aws-sdk-go-v2/service/sts
, k8s.io/client-go
).tool-versions
golang 1.22.4
.circleci/config.yml
node 5.2.0
go 1.11.0
cimg/go 1.22
cimg/go 1.22
go.mod
go 1.22.0
go 1.22.4
github.com/aws/aws-sdk-go-v2 v1.30.1
github.com/aws/aws-sdk-go-v2/config v1.27.23
github.com/aws/aws-sdk-go-v2/credentials v1.17.23
github.com/aws/aws-sdk-go-v2/service/eks v1.45.1
github.com/aws/aws-sdk-go-v2/service/iam v1.34.1
github.com/aws/aws-sdk-go-v2/service/sts v1.30.1
github.com/aws/smithy-go v1.20.3
github.com/fatih/color v1.17.0
github.com/ghodss/yaml v1.0.0
github.com/go-ini/ini v1.67.0
github.com/mitchellh/go-homedir v1.1.0
github.com/spf13/cobra v1.8.1
github.com/spf13/viper v1.19.0
github.com/stretchr/testify v1.9.0
k8s.io/client-go v0.30.2
package.json
@semantic-release/changelog 6.0.3
@semantic-release/git 10.0.1
semantic-release 24.0.0
aws-mfa-login cluster setup
/home/-/.asdf/installs/aws-mfa-login/0.1.24/bin/aws-mfa-login: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by /home/-/.asdf/installs/aws-mfa-login/0.1.24/bin/aws-mfa-login)
/home/-/.asdf/installs/aws-mfa-login/0.1.24/bin/aws-mfa-login: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /home/-/.asdf/installs/aws-mfa-login/0.1.24/bin/aws-mfa-login)
When running aws-mfa-login
without a configuration file this is output:
% aws-mfa-login
2022/07/25 13:30:44 Config File ".aws-mfa" Not Found in "[/Users/asmodai]"
This should be .aws-mfa.yaml
. I think it's the viper line at cmd/root.go#L61. Unsure at this point if this is a bug in aws-mfa-login's use of viper or viper itself.
Even adding viper.SetConfigType("yaml")
after that line does nothing to change the output. But I am not that familiar with viper and its use, so I might be missing something.
Edit: It looks like SetConfigType
is not for indicating the type of the configuration file, as in what extension, but rather how to parse the file.
The source profile name is configured only once for all profiles
source: suite
destination: suite-mfa
But we also want to support that you can configure different source profiles for same account and cluster. This is useful when you want to authenticate as different kubernetes user in same cluster.
A violation against the OSS Rules of Play has been detected.
Rule ID: rl-vulnerability_alerts-1
Explanation: Are vulnerability alerts enabled? No
Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html
Used to work fine on the 18.05.2021. However, today (19.05) I got an error:
nikita.ko@mac ~ % aws-mfa-login
Current configuration located in ~/.aws-mfa.yaml
#####
source: suite
destination: mfa
#####
2021/05/19 13:09:13 operation error STS: GetCallerIdentity, failed to resolve service endpoint, an AWS region is required, but was not found
Region is specified in my .aws-mfa.yaml file:
# DEV--Area23
- name: area23-default
alias: dev-area23
accountId: "123142534534"
role: TerraformAccessRole
region: eu-central-1
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)
I'm trying to use aws-mfa-login with an AWS China account and get the following error:
aws-mfa-login --config ~/.aws-cn.yaml
#####
source: aws-cn
destination: aws-cn-mfa
#####
2023/10/17 12:52:36 operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: c1895db0-5866-4a35-a447-367de51b1d4f, api error InvalidClientTokenId: The security token included in the request is invalid.
The issue is rising because aws-mfa-login is trying to log in with the eu-central-1
account which is absent in AWS China.
The quick fix is to remove the hardcoded region from func (updater *CredUpdater) init()
function:
https://github.com/signavio/aws-mfa-login/blob/v0.1.28/action/login.go#L43
I've checked this quick fix and it works pretty well for both aws and aws-cn accounts.
What else do you think should be taken into consideration?
As I see github.com/aws/aws-sdk-go-v2
handles different IAM partitions well and no code changes are needed here:
AWS - arn:aws:: ....
AWS China- arn:aws-cn:: ...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.