signavio / aws-mfa-login Goto Github PK

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-vulnerability_alerts-1
Explanation: Are vulnerability alerts enabled? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

The source profile name is configured only once for all profiles

source: suite
destination: suite-mfa

But we also want to support that you can configure different source profiles for same account and cluster. This is useful when you want to authenticate as different kubernetes user in same cluster.

I'm trying to use aws-mfa-login with an AWS China account and get the following error:

aws-mfa-login --config ~/.aws-cn.yaml
#####
source: aws-cn
destination: aws-cn-mfa
#####
2023/10/17 12:52:36 operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: c1895db0-5866-4a35-a447-367de51b1d4f, api error InvalidClientTokenId: The security token included in the request is invalid.

The issue is rising because aws-mfa-login is trying to log in with the eu-central-1 account which is absent in AWS China.
The quick fix is to remove the hardcoded region from func (updater *CredUpdater) init() function:
https://github.com/signavio/aws-mfa-login/blob/v0.1.28/action/login.go#L43

I've checked this quick fix and it works pretty well for both aws and aws-cn accounts.

What else do you think should be taken into consideration?
As I see github.com/aws/aws-sdk-go-v2 handles different IAM partitions well and no code changes are needed here:

AWS - arn:aws:: ....
AWS China- arn:aws-cn:: ...

newer MacOS have the M1 processor which is based on arm64. So we should support this architecture too

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)

with kubectl client version 1.24 we get following error

error: exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1"

client.authentication.k8s.io/v1alpha1 has been deprecated and since kubernetes version 1.11. v1beta1 has been available since then so we safely can upgrade the client api version

see kubernetes/kubernetes#64482

This is a breaking change since user is required to update to latest aws cli version, more specific >= 1.20.9 or >= 2.2.24

we want to assume different roles per cluster which would look like ~/.aws-mfa.yaml so we can switch the role with kubectx suite-staging or kubectx suite-staging-debug

source: suite
destination: mfa
clusters:
  # staging
  - name: eks-staging_eu
    alias: suite-staging
    accountId: "1234567890"
    role: DeveloperAccessRole
    region: eu-central-1
  - name: eks-staging_eu
    alias: suite-staging-debug
    accountId: "1234567890"
    role: DebugAccessRole
    region: eu-central-1

by default this is not possible with cli aws eks update-kubeconfig see this issue aws/aws-cli#5413 and aws/aws-cli#4079

So this means I would need to implement aws eks update-kubeconfig completly in golang unless this is not merged

When running aws-mfa-login without a configuration file this is output:

% aws-mfa-login
2022/07/25 13:30:44 Config File ".aws-mfa" Not Found in "[/Users/asmodai]"

This should be .aws-mfa.yaml. I think it's the viper line at cmd/root.go#L61. Unsure at this point if this is a bug in aws-mfa-login's use of viper or viper itself.

Even adding viper.SetConfigType("yaml") after that line does nothing to change the output. But I am not that familiar with viper and its use, so I might be missing something.

Edit: It looks like SetConfigType is not for indicating the type of the configuration file, as in what extension, but rather how to parse the file.

When downloading the latest v0.12 release and running a aws-mfa-login --version, it presents aws-mfa-login version 0.1.1 expecting a 0.12 here.

I update to the latest version available and tried to use it.

I just tried to create an update cluster config:

#####
source: SignavioSass_dev
destination: mfa
#####
detected MFA device with serial number arn:aws:iam::291496782177:mfa/alessandro.surace
enter 6-digit MFA code: 646661

Sucessfully update access tokens for profile mfa.
Access will be valid for 11 hours. You can now your profile.

export AWS_PROFILE=mfa
> aws-mfa-login cluster setup

The kube config file is not updated.

Used to work fine on the 18.05.2021. However, today (19.05) I got an error:

nikita.ko@mac ~ % aws-mfa-login        
Current configuration located in ~/.aws-mfa.yaml
#####
source: suite
destination: mfa
#####
2021/05/19 13:09:13 operation error STS: GetCallerIdentity, failed to resolve service endpoint, an AWS region is required, but was not found

Region is specified in my .aws-mfa.yaml file:

    # DEV--Area23
  - name: area23-default
    alias: dev-area23
    accountId: "123142534534"
    role: TerraformAccessRole
    region: eu-central-1

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• chore(deps): update dependency golang to v1.22.2
• chore(deps): update dependency semantic-release to v23.0.8
• fix(deps): update golang dependencies (github.com/aws/aws-sdk-go-v2/config, github.com/aws/aws-sdk-go-v2/credentials, github.com/aws/aws-sdk-go-v2/service/iam, k8s.io/client-go)
• chore(deps): update dependency go to v1.22.2

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository