https://pulumi.com logo
Title
m

millions-furniture-75402

02/24/2021, 8:20 PM
Can anyone offer a suggestion for mfa integration using assumeRole? It doesn’t look like there is a clear path. https://github.com/pulumi/pulumi-aws/issues/584 https://github.com/pulumi/pulumi-aws/issues/252#issuecomment-584903094
aws --profile grey-sandbox-deployment ec2 describe-instances
will work, but
aws:profile
in
Pulumi.sandbox.yaml
will not work, complaining about missing AWS accesskey and secretaccesskeys.
pulumi preview

...

    Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
We see that assumeRole is supported by the provider https://www.pulumi.com/docs/reference/pkg/aws/provider/#providerassumerole — but there is no
mfa_serial
not that we want to pass that to the AWS Provider… It would be preferred if the AWS Provider understood the AWS config the same way as the aws cli.
b

billowy-army-68599

02/24/2021, 8:25 PM
yeah we understand this is painful, but it's actually of because of limitations in the Go SDK rather than Pulumi itself
pulumi won't prompt you for the MFA at any point, you'll need to set up a new profile with temporary credentials from STS
m

millions-furniture-75402

02/24/2021, 8:26 PM
Any preferred workaround? So far we’re thinking maybe setting up environment variables with a wrapper script.
b

billowy-army-68599

02/24/2021, 8:28 PM
m

millions-furniture-75402

02/24/2021, 8:29 PM
Does Pulumi have any plans to improve this experience, or should we bug the Go SDK project directly?
b

billowy-army-68599

02/24/2021, 8:33 PM
how would you like it to work? have pulumi prompt for your mfa?
m

millions-furniture-75402

02/24/2021, 8:33 PM
Yes, that would be perfect
essentially the same behavior as the aws cli
b

billowy-army-68599

02/24/2021, 8:34 PM
i'm not sure if we can do that, but please file an issue in pulumi/pulumi-aws and we'll try have a think about it
m

millions-furniture-75402

02/24/2021, 8:34 PM
okay, thanks, sounds good
Here’s what we’ve come up with so far 🤣
$(grep "$(aws --profile $(pulumi config get aws:profile) sts get-caller-identity |jq -r '.UserId')" ~/.aws/cli/cache/*.json |jq -r '"export AWS_ACCESS_KEY_ID="+.Credentials.AccessKeyId,"export AWS_SECRET_ACCESS_KEY="+.Credentials.SecretAccessKey,"export AWS_SESSION_TOKEN="+.Credentials.SessionToken'); pulumi preview
l

little-cartoon-10569

02/24/2021, 10:58 PM
Our solution is to configure Pulumi providers to use AWS profiles that have
mfa-profile
as their _source_profile_. We have a script that calls
aws sts get-session-token
and
aws configure set profile.mfa-profile....
to set up
mfa-profile.
If we run Pulumi without calling the script in the morning, it complains.
We run the script with the totp as a parameter, it sets up the profile, and then Pulumi works for the next 12 hours.
m

millions-furniture-75402

02/25/2021, 3:07 PM
We’ve ultimately gone for this wrapper which we put in our shell runtime configurations, it will work for both MFA and non-mfa AWS profiles:
function pulumi () {
    local PULUMI_COMMANDS_AWS_REQUIRED=(destroy logs preview refresh up update watch)
    local AWS_REQUIRED=$([[ " ${PULUMI_COMMANDS_AWS_REQUIRED[@]} " =~ " ${1} " ]] && echo "true")

    if [[ -n ${AWS_REQUIRED} ]]; then
        local PULUMI_AWS_PROFILE=$(command pulumi config get aws:profile 2> /dev/null)
        local ROLE_ARN=$(aws configure get profile.${PULUMI_AWS_PROFILE}.role_arn)
    fi

    if [[ -n ${ROLE_ARN} ]]; then
        echo "Using AWS Profile: ${PULUMI_AWS_PROFILE}"
        local AWS_ROLE_USER_ID=$(aws --profile ${PULUMI_AWS_PROFILE} sts get-caller-identity |jq -r '.UserId')
        if [[ -z ${AWS_ROLE_USER_ID} ]]; then return; fi

        local AWS_CREDENTIALS=$(grep -hs ${AWS_ROLE_USER_ID} ~/.aws/cli/cache/*.json)

        AWS_ACCESS_KEY_ID=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.AccessKeyId') \
        AWS_SECRET_ACCESS_KEY=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SecretAccessKey') \
        AWS_SESSION_TOKEN=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SessionToken') \
        command pulumi ${@}
    else
        command pulumi ${@}
    fi
}
👍 1
l

little-cartoon-10569

02/25/2021, 8:10 PM
Didn't know the session token was persisted in a cache like that. Cool.