This message was deleted.
# awss
sparse-intern-71089
02/24/2021, 8:20 PMThis message was deleted.
b
billowy-army-68599
02/24/2021, 8:25 PM
yeah we understand this is painful, but it's actually of because of limitations in the Go SDK rather than Pulumi itself
billowy-army-68599
02/24/2021, 8:25 PM
pulumi won't prompt you for the MFA at any point, you'll need to set up a new profile with temporary credentials from STS
m
millions-furniture-75402
02/24/2021, 8:26 PMAny preferred workaround? So far we’re thinking maybe setting up environment variables with a wrapper script.
b
billowy-army-68599
02/24/2021, 8:28 PM
aws vault makes this easier:
https://github.com/99designs/aws-vault#roles-and-mfa
m
millions-furniture-75402
02/24/2021, 8:29 PMDoes Pulumi have any plans to improve this experience, or should we bug the Go SDK project directly?
b
billowy-army-68599
02/24/2021, 8:33 PM
how would you like it to work? have pulumi prompt for your mfa?
m
millions-furniture-75402
02/24/2021, 8:33 PMYes, that would be perfect
millions-furniture-75402
02/24/2021, 8:34 PMessentially the same behavior as the aws cli
b
billowy-army-68599
02/24/2021, 8:34 PM
i'm not sure if we can do that, but please file an issue in pulumi/pulumi-aws and we'll try have a think about it
m
millions-furniture-75402
02/24/2021, 8:34 PMokay, thanks, sounds good
millions-furniture-75402
02/24/2021, 8:53 PMmillions-furniture-75402
02/24/2021, 9:32 PMHere’s what we’ve come up with so far 🤣
Copy code
$(grep "$(aws --profile $(pulumi config get aws:profile) sts get-caller-identity |jq -r '.UserId')" ~/.aws/cli/cache/*.json |jq -r '"export AWS_ACCESS_KEY_ID="+.Credentials.AccessKeyId,"export AWS_SECRET_ACCESS_KEY="+.Credentials.SecretAccessKey,"export AWS_SESSION_TOKEN="+.Credentials.SessionToken'); pulumi previewl
little-cartoon-10569
02/24/2021, 10:58 PMOur solution is to configure Pulumi providers to use AWS profiles that have
mfa-profileaws sts get-session-tokenaws configure set profile.mfa-profile....mfa-profile.little-cartoon-10569
02/24/2021, 10:58 PMIf we run Pulumi without calling the script in the morning, it complains.
little-cartoon-10569
02/24/2021, 10:59 PMWe run the script with the totp as a parameter, it sets up the profile, and then Pulumi works for the next 12 hours.
m
millions-furniture-75402
02/25/2021, 3:07 PMWe’ve ultimately gone for this wrapper which we put in our shell runtime configurations, it will work for both MFA and non-mfa AWS profiles:
Copy code
function pulumi () {
local PULUMI_COMMANDS_AWS_REQUIRED=(destroy logs preview refresh up update watch)
local AWS_REQUIRED=$([[ " ${PULUMI_COMMANDS_AWS_REQUIRED[@]} " =~ " ${1} " ]] && echo "true")
if [[ -n ${AWS_REQUIRED} ]]; then
local PULUMI_AWS_PROFILE=$(command pulumi config get aws:profile 2> /dev/null)
local ROLE_ARN=$(aws configure get profile.${PULUMI_AWS_PROFILE}.role_arn)
fi
if [[ -n ${ROLE_ARN} ]]; then
echo "Using AWS Profile: ${PULUMI_AWS_PROFILE}"
local AWS_ROLE_USER_ID=$(aws --profile ${PULUMI_AWS_PROFILE} sts get-caller-identity |jq -r '.UserId')
if [[ -z ${AWS_ROLE_USER_ID} ]]; then return; fi
local AWS_CREDENTIALS=$(grep -hs ${AWS_ROLE_USER_ID} ~/.aws/cli/cache/*.json)
AWS_ACCESS_KEY_ID=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.AccessKeyId') \
AWS_SECRET_ACCESS_KEY=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SecretAccessKey') \
AWS_SESSION_TOKEN=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SessionToken') \
command pulumi ${@}
else
command pulumi ${@}
fi
}👍 1
l
little-cartoon-10569
02/25/2021, 8:10 PMDidn't know the session token was persisted in a cache like that. Cool.