Skip to content

fix(rolechaining): add missing MFA auth logic for session creds #1271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix(rolechaining): add missing MFA auth logic for session creds #1271

wants to merge 4 commits into from

Conversation

@propilideno
Copy link

Based on @thiagosestini observations and after debugging with Delve, I identified that in aws-vault v7 the MFA chaining logic was incomplete compared to v6.

Specifically, v7 was skipping the critical step of calling GetSessionToken to obtain MFA-authenticated session credentials before performing AssumeRole in chained profiles. As a result, AssumeRole calls lacked MFA context, causing AWS to reject them with MFA validation errors.

aws-vault/vault/vault.go

Lines 230 to 244 in 1344f15

if hasStoredCredentials || !config.HasRole() {
if canUseGetSessionToken, reason := config.CanUseGetSessionToken(); !canUseGetSessionToken {
log.Printf("profile %s: skipping GetSessionToken because %s", config.ProfileName, reason)
if !config.HasRole() {
return sourcecredsProvider, nil
}
}
t.chainedMfa = config.MfaSerial
log.Printf("profile %s: using GetSessionToken %s", config.ProfileName, mfaDetails(false, config))
sourcecredsProvider, err = NewSessionTokenProvider(sourcecredsProvider, t.keyring.Keyring, config)
if !config.HasRole() || err != nil {
return sourcecredsProvider, err
}
}

This commit restores the missing logic by wrapping long-term credentials with a session token provider (calling GetSessionToken with MFA) when appropriate. It clears the MFA serial on subsequent chained assumes, preventing repeated MFA prompts and access denials.

This fix aligns v7 behavior with v6 and resolves MFA failures during role chaining.

For the people who wanna test without clone and build the project, i baked some binaries on: https://github.com/propilideno/aws-vault/releases/tag/7.2.1

@mbevc1
Copy link

mbevc1 commented Aug 12, 2025

Hi @propilideno !

Thanks for your work on this one. This repo looks abandoned and maintained fork is https://github.com/ByteNess/aws-vault. Would you mind opening a PR there lining it to ByteNess#67 ?

@propilideno propilideno mentioned this pull request Aug 12, 2025
Merged
@propilideno
Copy link
Author

Hi @propilideno !

Thanks for your work on this one. This repo looks abandoned and maintained fork is https://github.com/ByteNess/aws-vault. Would you mind opening a PR there lining it to ByteNess#67 ?

Hello @mbevc1, thanks for the contact. Done: ByteNess#75

@propilideno
Copy link
Author

propilideno commented Aug 12, 2025
edited
Loading

edit: force pushed the same commit with gpg signature.

@mbevc1
Copy link

mbevc1 commented Aug 12, 2025

Cheers @propilideno , I'll have a look in a bit!

@mbevc1
Copy link

mbevc1 commented Aug 15, 2025

This was solved in the fork by: ByteNess#75
And released: https://github.com/ByteNess/aws-vault/releases/tag/v7.6.0 🚀

Thanks @propilideno for your contribution!

@mbevc1
Copy link

mbevc1 commented Aug 17, 2025

Probably doesn't make sense to keep pushing to this branch anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@propilideno @mbevc1