serverless: sls deploy with AWS cross account profile no longer waits for MFA input
This is a Bug Report
Description
-
What went wrong?
- Invoking
sls deployviaSLS_DEBUG=* sls deploy --stage mystage --aws-profile my-cross-account-role-with-mfa, the application skips straight past the prompt for “Enter MFA code for…” - If an MFA token is entered at the next opportunity on stdin despite the output moving on, then the deploy will continue using the assumed role
- If the user simply hits enter because it looks like the deploy has stalled, then the deploy will fail with an error about
AWS provider credentials not found - This previously worked OK with 1.37.1, the application waited for an MFA token on stdin but on 1.50.0 the output continues and is quite misleading as the app is still waiting for input
- Invoking
-
What did you expect should have happened?
- Application should wait at the MFA prompt for user input, then continue using the cross-account role
-
What was the config you used?
-
provider: name: aws runtime: python3.6 stage: ${opt:stage, 'dev'} region: eu-west-1 - ~/.aws/credentials
[default] aws_access_key_id = <my-root-account-access-key-id> aws_secret_access_key = <my-root-account-access-key-id> - Root account user has MFA enabled
- ~/.aws/config
[profile my-cross-account-role-with-mfa] region = eu-west-1 role_arn = arn:aws:iam::<target-account-id>:role/<role-name> source_profile = default
-
-
What stacktrace or error message from your provider did you see?
- Initial application output:
$ export AWS_SDK_LOAD_CONFIG="true" $ SLS_DEBUG=* sls deploy --stage mystage --aws-profile my-cross-account-role-with-mfa Serverless: Load command config Serverless: Load command config:credentials [...] Serverless: Invoke deploy Serverless: Invoke package Serverless: Invoke aws:common:validate Enter MFA code for arn:aws:iam::<root-account-id>:mfa/<root-user-name>: Serverless:Invoke aws:common:cleanupTempDir Serverless: Generated requirements from /[...]/requirements.txt in /[...]/.serverless/requirements.txt... Serverless: Installing requirements from /[...]/.serverless/requirements/requirements.txt ... - Deploy continues
AWS Pseudo Parameter: Resources::ChannelDeleteLambdaPermissionS3::Properties::SourceArn Replaced AWS::Region with ${AWS::Region} AWS Pseudo Parameter: Resources::ChannelUpdateLambdaPermissionS3::Properties::SourceArn Replaced AWS::Region with ${AWS::Region} <enter-MFA-token-here> Serverless: [AWS sts 200 0.65s 0 retries] assumeRole({ RoleArn: [...]
- Initial application output:
Similar or dependent issues:
Additional Data
- Serverless Framework Version you’re using: 1.50.0
- Operating System: MacOS 10.13.6
- Stack Trace:
- Provider Error messages:
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 2
- Comments: 15 (8 by maintainers)
Commits related to this issue
- fix: pause for mfa input This allows credential validation checks to be applied when running the package hook only if the initial command is to package an artifact for deployment. Since package is in... — committed to drexler/serverless by drexler 5 years ago
- fix: pause for mfa input This allows credential validation checks to be applied when running the package hook only if the initial command is to package an artifact for deployment. Since package is in... — committed to drexler/serverless by drexler 5 years ago
@medikoo, interesting that my tests didn’t catch that one. I have two accounts setup with one as a “master” account set to assume a role in the other. Locally, my AWS setup is like:
.aws/credentials
./aws/config
To reproduce, i deploy any Serverless application i had with my
open-sourcereraccount to force the MFA prompt. So:I’m also facing this issue. I’m able to enter the MFA token at any time and serverless still successfully deploys, but it certainly is confusing.