2

Update 2021-07-09:

  • Invested a bit more time for testing and narrowed the problem to AWS CDK and NOT AWS CLI.
  • If I run aws s3 ls --profile dev a cache file is created under ~/.aws/cli/cache/<random_hash> and everything is working. So my question was misleading so far, as I never tested without CDK. I always used cdk synth --profile dev or another CDK command.
  • Therefore, can you help in regards with CDK? Why is not behaving as the CLI itself?

Update 2021-07-09 +10min:

  • I found the following issue, and therefore close this question as it seems to be the mentioned.

I follow the advice from here and use the ~/.aws/config file to incorporate MFA in my authentication flow. The role (in 123456789123) has a maximum session duration of one hour, but still I'm prompted for an MFA token every time I run a command. How can I temporarily store the authentication and run a command without MFA interruption? I do not want to circumvent the MFA but store the sts-session for the configured hour - to at least work without interruption for this hour.

~/.aws/config

[default]
region = eu-central-1

[profile dev]
role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = corporation
mfa_serial = arn:aws:iam::023456789123:mfa/my_iam_user

~/.aws/credentials

[corporation]
aws_access_key_id = BLIBLABLUB
aws_secret_access_key = BLIBLABLUB
lony
  • 6,733
  • 11
  • 60
  • 92
  • What is `k` in the title? – Marcin Jul 06 '21 at 09:17
  • Iggy forgot to fill this - meant without immediate expiration – lony Jul 06 '21 at 09:18
  • I'm missing an AWS_SESSION_TOKEN as part of your environment... Can you check if https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/ works for you? – Korgen Jul 06 '21 at 09:23
  • I know that this is set if I run sts myself, but I use just the above setting and then run `aws s3 ls --profile dev` without any other command. Assumed aws-mfa is no longer necessary as this feature does the same, do I need to still use another lib to store the token? – lony Jul 06 '21 at 09:41
  • Take a look at third-party options that can help you manage MFA credentials for the CLI and SDKs e.g. https://github.com/broamski/aws-mfa – jarmod Jul 06 '21 at 14:06
  • The temporary credentials should be cached by default according to [this](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html). Can you check if the program has write permission to `~/.aws/cli/cache`? – jellycsc Jul 06 '21 at 14:10
  • @jarmod as mentioned above I know this module, but want to avoid installing extra libs and therefore search for a solution with just the aws-cli. Can you help here as well? – lony Jul 06 '21 at 14:10
  • @jellycsc there is a cache file and it contains something but if I delete everything the command will not create a new file - therefore I assume I run sts manually before but the aws-cli does not make use of the cache. Can you reproduce that as well? – lony Jul 06 '21 at 14:39
  • @lony No, I'm not able to reproduce this. I suggest reinstalling the AWS CLI. – jellycsc Jul 06 '21 at 14:43
  • @jellycsc sorry my mistake - I missed the info that I use AWS CDK. See the above update. – lony Jul 09 '21 at 07:44
  • 1
    Seems to be a bug of the library already reported in Github. – lony Jul 09 '21 at 08:15

0 Answers0