Can anyone offer a suggestion for mfa integration using assumeRole? It doesn’t look like there is a clear path. https://github.com/pulumi/pulumi-aws/issues/584 https://github.com/pulumi/pulumi-aws/issues/252#issuecomment-584903094

aws --profile grey-sandbox-deployment ec2 describe-instances

will work, but

aws:profile

in

Pulumi.sandbox.yaml

will not work, complaining about missing AWS accesskey and secretaccesskeys.

pulumi preview

...

    Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration

We see that assumeRole is supported by the provider https://www.pulumi.com/docs/reference/pkg/aws/provider/#providerassumerole — but there is no

mfa_serial

not that we want to pass that to the AWS Provider… It would be preferred if the AWS Provider understood the AWS config the same way as the aws cli.

yeah we understand this is painful, but it's actually of because of limitations in the Go SDK rather than Pulumi itself

Any preferred workaround? So far we’re thinking maybe setting up environment variables with a wrapper script.

aws vault makes this easier: https://github.com/99designs/aws-vault#roles-and-mfa

Does Pulumi have any plans to improve this experience, or should we bug the Go SDK project directly?

how would you like it to work? have pulumi prompt for your mfa?

Yes, that would be perfect

i'm not sure if we can do that, but please file an issue in pulumi/pulumi-aws and we'll try have a think about it

okay, thanks, sounds good

Our solution is to configure Pulumi providers to use AWS profiles that have

mfa-profile

as their _source_profile_. We have a script that calls

aws sts get-session-token

and

aws configure set profile.mfa-profile....

to set up

mfa-profile.

We’ve ultimately gone for this wrapper which we put in our shell runtime configurations, it will work for both MFA and non-mfa AWS profiles:

function pulumi () {
    local PULUMI_COMMANDS_AWS_REQUIRED=(destroy logs preview refresh up update watch)
    local AWS_REQUIRED=$([[ " ${PULUMI_COMMANDS_AWS_REQUIRED[@]} " =~ " ${1} " ]] && echo "true")

    if [[ -n ${AWS_REQUIRED} ]]; then
        local PULUMI_AWS_PROFILE=$(command pulumi config get aws:profile 2> /dev/null)
        local ROLE_ARN=$(aws configure get profile.${PULUMI_AWS_PROFILE}.role_arn)
    fi

    if [[ -n ${ROLE_ARN} ]]; then
        echo "Using AWS Profile: ${PULUMI_AWS_PROFILE}"
        local AWS_ROLE_USER_ID=$(aws --profile ${PULUMI_AWS_PROFILE} sts get-caller-identity |jq -r '.UserId')
        if [[ -z ${AWS_ROLE_USER_ID} ]]; then return; fi

        local AWS_CREDENTIALS=$(grep -hs ${AWS_ROLE_USER_ID} ~/.aws/cli/cache/*.json)

        AWS_ACCESS_KEY_ID=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.AccessKeyId') \
        AWS_SECRET_ACCESS_KEY=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SecretAccessKey') \
        AWS_SESSION_TOKEN=$(echo ${AWS_CREDENTIALS} | jq -r '.Credentials.SessionToken') \
        command pulumi ${@}
    else
        command pulumi ${@}
    fi
}

Didn't know the session token was persisted in a cache like that. Cool.