You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[ * ] I have provided my .aws/config (redacted if necessary)
[ * ] I have provided the debug output using aws-vault --debug (redacted if necessary)
It would appear that using the --mfa-token=###### option with the aws-vault login command does not work as expected.
.aws/config file:
[profile my-profile]
region = us-east-1
mfa_serial = arn:aws:iam::############:mfa/Phone
Debug output with login command:
$ aws-vault login --mfa-token=071675 --debug my-profile
2023/10/12 11:52:58 aws-vault v7.2.0
2023/10/12 11:52:58 Using prompt driver: terminal
2023/10/12 11:52:58 [keyring] Considering backends: [keychain]
2023/10/12 11:52:58 Loading config file /Users/jutley/.aws/config
2023/10/12 11:52:58 Parsing config file /Users/jutley/.aws/config
2023/10/12 11:52:58 Profile 'default' missing in config file
2023/10/12 11:52:58 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:52:58 [keyring] Found 5 results
2023/10/12 11:52:58 profile my-profile: using stored credentials
2023/10/12 11:52:58 profile my-profile: skipping GetSessionToken because sessions are disabled for this profile
2023/10/12 11:52:58 Looking up keyring for 'my-profile'
2023/10/12 11:52:58 [keyring] Querying keychain for service="aws-vault", account="my-profile", keychain="aws-vault.keychain"
2023/10/12 11:53:09 [keyring] Found item "aws-vault (my-profile)"
2023/10/12 11:53:09 Creating a federated session
2023/10/12 11:53:10 Using GetFederationToken for credentials
aws-vault: error: login: operation error STS: GetFederationToken, https response error StatusCode: 403, RequestID: a294af35-a0c8-4b80-8ce1-8d6e0b24542f, api error AccessDenied: User: arn:aws:iam::############:user/jutley is not authorized to perform: sts:GetFederationToken on resource: arn:aws:sts::############:federated-user/jutley with an explicit deny
Note: I have a policy in place that issues an explicit Deny on all API calls not authenticated with MFA, other than specific calls related to password changes and setting up MFA
Debug command with exec command on same profile:
aws-vault exec --mfa-token=###### --debug my-profile -- zsh
2023/10/12 11:55:13 aws-vault v7.2.0
2023/10/12 11:55:13 Using prompt driver: terminal
2023/10/12 11:55:13 Loading config file /Users/jutley/.aws/config
2023/10/12 11:55:13 Parsing config file /Users/jutley/.aws/config
2023/10/12 11:55:13 [keyring] Considering backends: [keychain]
2023/10/12 11:55:13 Profile 'default' missing in config file
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:13 [keyring] Found 5 results
2023/10/12 11:55:13 profile my-profile: using stored credentials
2023/10/12 11:55:13 profile my-profile: using GetSessionToken (with MFA)
2023/10/12 11:55:13 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:13 [keyring] Found 5 results
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:13 [keyring] Found 5 results
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,dHJ1c3RjaGFyZ2U,YXJuOmF3czppYW06OjQ2NDgxMTgyNDY5OTptZmEvUGhvbmU,-62135596800", keychain="aws-vault.keychain"
2023/10/12 11:55:13 [keyring] No results found
2023/10/12 11:55:13 Looking up keyring for 'my-profile'
2023/10/12 11:55:13 [keyring] Querying keychain for service="aws-vault", account="my-profile", keychain="aws-vault.keychain"
2023/10/12 11:55:18 [keyring] Found item "aws-vault (my-profile)"
2023/10/12 11:55:19 Generated credentials ****************VAMX using GetSessionToken, expires in 59m59.78726s
2023/10/12 11:55:19 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:19 [keyring] Found 5 results
2023/10/12 11:55:19 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2023/10/12 11:55:19 [keyring] Found 5 results
2023/10/12 11:55:19 [keyring] Checking keychain status
2023/10/12 11:55:19 [keyring] Keychain status returned nil, keychain exists
2023/10/12 11:55:19 [keyring] Keychain item trusts keyring
2023/10/12 11:55:19 [keyring] Adding service="aws-vault", label="aws-vault session for my-profile (expires 2023-10-12T17:55:19Z)", account="sts.GetSessionToken,dHJ1c3RjaGFyZ2U,YXJuOmF3czppYW06OjQ2NDgxMTgyNDY5OTptZmEvUGhvbmU,1697133319", trusted=true to osx keychain "aws-vault.keychain"
2023/10/12 11:55:19 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/10/12 11:55:19 Setting subprocess env: AWS_SESSION_TOKEN
2023/10/12 11:55:19 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2023/10/12 11:55:19 Exec command zsh
2023/10/12 11:55:19 Found executable /bin/zsh
The text was updated successfully, but these errors were encountered:
.aws/config
(redacted if necessary)aws-vault --debug
(redacted if necessary)It would appear that using the --mfa-token=###### option with the aws-vault login command does not work as expected.
.aws/config file:
Debug output with login command:
Note: I have a policy in place that issues an explicit Deny on all API calls not authenticated with MFA, other than specific calls related to password changes and setting up MFA
Debug command with exec command on same profile:
The text was updated successfully, but these errors were encountered: