Невозможно принять роль кросс-аккаунта с помощью MFA. AWS Cli не дает никакого вывода - PullRequest
Новая
       34

Невозможно принять роль кросс-аккаунта с помощью MFA. AWS Cli не дает никакого вывода

0 голосов
/ 01 октября 2019

Я настраиваю кросс-аккаунт между двумя аккаунтами AWS. Я могу успешно взять на себя роль, когда МИД не требуется. Но когда я добавляю условие, требующее MFA в политике доверия, тогда моя aws cli просто застревает.

В идеале, когда я запускаю приведенную ниже команду, aws cli должна запрашивать у меня токен MFA, 

aws s3 ls --profile mfa

Когда я запускаю указанную выше команду, используя --debug, я получаю следующий вывод 

2019-10-01 20:18:22,646 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.16.249 Python/3.7.4 Windows/10 botocore/1.12.239
2019-10-01 20:18:22,646 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3', 'ls', '--profile', 'mfa', '--debug']
2019-10-01 20:18:22,646 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x03BC6348>
2019-10-01 20:18:22,646 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x037B7810>
2019-10-01 20:18:22,649 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x037D4858>
2019-10-01 20:18:22,651 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2019-10-01 20:18:22,651 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x03ABB228>
2019-10-01 20:18:22,654 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3: calling handler <function add_waiters at 0x03BD20C0>
2019-10-01 20:18:22,656 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.s3.anonymous: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,657 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ls: calling handler <function add_waiters at 0x03BD20C0>
2019-10-01 20:18:22,660 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.paths: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,660 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.anonymous: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,660 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.page-size: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,660 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.human-readable: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,661 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x035EAF10>
2019-10-01 20:18:22,661 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.summarize: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,661 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x035EAF10>
2019-10-01 20:18:22,661 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.request-payer: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,662 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2019-10-01 20:18:22,662 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2019-10-01 20:18:22,662 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2019-10-01 20:18:22,664 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2019-10-01 20:18:22,665 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Users\Samrat\AppData\Roaming\Python\Python37\site-packages\botocore\data\endpoints.json
2019-10-01 20:18:22,668 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x03583618>
2019-10-01 20:18:22,675 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Users\Samrat\AppData\Roaming\Python\Python37\site-packages\botocore\data\s3\2006-03-01\service-2.json
2019-10-01 20:18:22,704 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x0356D390>
2019-10-01 20:18:22,704 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x0356D270>
2019-10-01 20:18:22,705 - MainThread - botocore.args - DEBUG - The s3 config key is not a dictionary type, ignoring its value of: None
2019-10-01 20:18:22,711 - MainThread - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2019-10-01 20:18:22,715 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Users\Samrat\AppData\Roaming\Python\Python37\site-packages\botocore\data\_retry.json
2019-10-01 20:18:22,716 - MainThread - botocore.client - DEBUG - Registering retry handlers for service: s3
2019-10-01 20:18:22,716 - MainThread - botocore.client - DEBUG - Defaulting to S3 virtual host style addressing with path style addressing fallback.
2019-10-01 20:18:22,716 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <function validate_bucket_name at 0x0358C3D8>
2019-10-01 20:18:22,716 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <bound method S3RegionRedirector.redirect_from_cache of <botocore.utils.S3RegionRedirector object at 0x03EB6710>>
2019-10-01 20:18:22,719 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <function generate_idempotent_uuid at 0x0358C1E0>
2019-10-01 20:18:22,719 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListBuckets: calling handler <function add_expect_header at 0x0358C588>
2019-10-01 20:18:22,719 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListBuckets: calling handler <bound method S3RegionRedirector.set_request_url of <botocore.utils.S3RegionRedirector object at 0x03EB6710>>
2019-10-01 20:18:22,719 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListBuckets: calling handler <function inject_api_version_header_if_needed at 0x0358CF18>
2019-10-01 20:18:22,719 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=ListBuckets) with params: {'url_path': '/', 'query_string': '', 'method': 'GET', 'headers': {'User-Agent': 'aws-cli/1.16.249 Python/3.7.4 Windows/10 botocore/1.12.239'}, 'body': b'', 'url': 'https://s3.amazonaws.com/', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x03EB6410>, 'has_streaming_input': False, 'auth_type': None, 'signing': {'bucket': None}}}
2019-10-01 20:18:22,720 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.ListBuckets: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x03EB63F0>>
2019-10-01 20:18:22,720 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.ListBuckets: calling handler <bound method ClientCreator._default_s3_presign_to_sigv2 of <botocore.client.ClientCreator object at 0x0378E510>>
2019-10-01 20:18:22,720 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.ListBuckets: calling handler <function set_operation_specific_signer at 0x0358C150>
2019-10-01 20:18:22,720 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.ListBuckets: calling handler <function fix_s3_host at 0x0348EBB8>

Ниже приведены мои ~/.aws/credentials и ~/.aws/config файлы 

# ~/.aws/credentials
[default]
aws_access_key_id = <ACCESS_KEY_ID>
aws_secret_access_key = <SECRET_ACCESS_KEY>

# ~/.aws/config
[default]
region = us-east-1
output = json
[profile mfa]
region = us-east-1
role_arn = arn:aws:iam::<Trusting-Account-ID>:role/RoleName
source_profile = default
mfa_serial = arn:aws:iam::<Trusted-Account-ID>:mfa/user

Может кто-нибудь сказать мне, что я скучаю. Спасибо!

1 Ответ

0 голосов
/ 02 октября 2019

Насколько я понимаю, вам не будет предложено ввести одноразовый пароль (OTP) при попытке отобразить список. Если вы используете устройство MFA, вы должны сначала создать временный токен сеанса через службу STS и использовать этот токен для выполнения вызова S3.

Например: 

aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

Будетвернуть временные учетные данные: 

{
    "Credentials": {
        "SecretAccessKey": "secret-access-key",
        "SessionToken": "temporary-session-token",
        "Expiration": "expiration-date-time",
        "AccessKeyId": "access-key-id"
    }
}

Обновите конфигурацию CLI aws, чтобы использовать временные учетные данные: 

[mfa]
aws_access_key_id = example-access-key-as-in-returned-output
aws_secret_access_key = example-secret-access-key-as-in-returned-output
aws_session_token = example-session-Token-as-in-returned-output

Затем вы используете эти временные учетные данные при взаимодействии с S3: 

aws s3 ls --profile mfa

Источник: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

...