aws-vault: Unable to assume role with MFA

Hi. This looks like just the tool I’m after, but currently having some issues getting it working with a role that uses MFA. I’m not sure I see what I’m doing wrong.

I’ve just installed v4.6.0 on macOS 10.14.5. As you can see below, using the AWS CLI directly is fine, and I get prompted for the MFA token. But I don’t get prompted, and therefore seem to get AccessDenied, when using aws-vault.

From what I’ve read in the docs, it seems like this is totally supported in theory. Am I doing anything obviously wrong?

~/.aws/config

[profile root]
region=eu-west-1

[profile role-with-mfa]
source_profile = root
role_arn=arn:aws:iam::xxx:role/infrastructure
mfa_serial=arn:aws:iam::xxx:mfa/sam

sam:~/git/eff-infrastructure/accounts [master]$ aws-vault exec root -- aws sts get-caller-identity
{
    "UserId": "xyz",
    "Account": "xxx",
    "Arn": "arn:aws:iam::xxx:user/sam"
}

sam:~/git/eff-infrastructure/accounts [master]$ aws-vault exec role-with-mfa -- aws sts get-caller-identity
aws-vault: error: Failed to get credentials for root (source profile for role-with-mfa): AccessDenied: Access denied
	status code: 403, request id: cd493634-8d53-11e9-a8f2-395e97d62828

sam:~/git/eff-infrastructure/accounts [master]$ AWS_PROFILE=root aws sts get-caller-identity
{
    "UserId": "xyz",
    "Account": "xxx",
    "Arn": "arn:aws:iam::xxx:user/sam"
}

sam:~/git/eff-infrastructure/accounts [master]$ AWS_PROFILE=role-with-mfa aws sts get-caller-identity
Enter MFA code for arn:aws:iam::xxx:mfa/sam:
{
    "UserId": "xyz:botocore-session-1560372747",
    "Account": "xxx",
    "Arn": "arn:aws:sts::xxx:assumed-role/infrastructure/botocore-session-1560372747"
}

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 25

Most upvoted comments

If you want to downgrade to the earlier version (which works perfectly well for me) then you can do the following:

brew cask uninstall aws-vault
brew cask install https://raw.githubusercontent.com/Homebrew/homebrew-cask/7e805ba6d2a4899b56ddf60174b54b16863fb1d3/Casks/aws-vault.rb
+3
schof on Jun 14, 2019

@FernandoMiguel you were right, actually my role had only ecs-tasks.amazonaws.com as trusted entities instead of the account number.

+2
sylwit on Aug 25, 2019

This a regression from https://github.com/99designs/aws-vault/pull/369

When the selected profile has mfa_serial and the root does not have mfa_serial, the session we create for the source_profile won’t use mfa, and we try to assume role using that session without mfa.

I can work on a fix for this today.

You can move your mfa_serial setting to your root profile, and things will work as expected for now.

+2
jstewmon on Jun 14, 2019

@gawbul can you share the relevant entries from your aws config file with account numbers scrubbed?

If you recently upgraded, you might need to remove an old session: aws-vault remove -s read-only

+1
jstewmon on Aug 16, 2019

I’m able to reproduce this issue. I’m stepping through the code now to figure out the cause.

+1
jstewmon on Jun 14, 2019
Read more comments on GitHub
← aws-vault: Ubuntu: The collection "aws-vault" does not exist. Please add a key first
aws-vault: Unable to perform IAM role chaining on 5.0.0 →