https://pulumi.com logo
Title
p

powerful-continent-32307

08/12/2021, 6:21 AM
Pulumi doesn't support aws MFA scenarios does it?
b

brave-planet-10645

08/12/2021, 9:38 AM
In what way? As in can it bypass the MFA or do you mean you're being asked to enter the MFA when you run
pulumi up
?
b

billowy-army-68599

08/12/2021, 7:58 PM
@powerful-continent-32307 it does, yes - but you need to authenticate with MFA and retrieve a session token I can walk you through it if needed
l

little-cartoon-10569

08/12/2021, 8:47 PM
Confirm it works fine. My team uses MFA with Pulumi all the time.
b

billowy-army-68599

08/12/2021, 9:54 PM
@little-cartoon-10569 for my own posterity, what's your workflow?
1
l

little-cartoon-10569

08/12/2021, 9:57 PM
Once a day, I grab my 6-digit MFA value from BitWarden and pass it to a bash alias I have,
aws2fa
.
For the next 24 hours, I can use Pulumi 🙂
The alias sets up an AWS profile with the temp creds, and a fixed name. The AWS profile that I use with Pulumi uses that profile as its source.
b

billowy-army-68599

08/12/2021, 10:00 PM
mind sharing that alias? I've recommended
aws-vault
for this before
l

little-cartoon-10569

08/12/2021, 10:05 PM
The alias isn't very interesting, it just invokes an image that uses this script as an entrypoint. I think a colleague got the script from an AWS or Pulumi page...
3 profiles involved: identity is the user's profile with creds that need MFA; identity-mfa is a temp profile set up with the creds returned by _get-session-token_; and pulumi is the user's profile that refers to identity-mfa and sets up the assumed role.
(Code edited to remove hard-coded account IDs, untested in this version, you may need to edit to get it to work.)