Skip to content

CLI: Not prompting for MFA code with AWS_PROFILE envar after CDK v2.167.0 / SDK v3 #32312

New issue
New issue
Closed
#32313
Closed
CLI: Not prompting for MFA code with AWS_PROFILE envar after CDK v2.167.0 / SDK v3#32312
#32313
Assignees
rix0rrr
Labels
bugThis issue is a bug.effort/smallSmall work item – less than a day of effortp0package/toolsRelated to AWS CDK Tools or CLIpotential-regressionMarking this issue as a potential regression to be checked by team member
@bwg

Description

@bwg
bwg
opened on Nov 27, 2024

Describe the bug

When using an IAM profile/role that requires multi-factor authentication in the AWS_PROFILE envar, the CDK CLI is not prompting for the MFA code, resulting in a missing credentials error.

[09:26:47] Error: Need to perform AWS calls for account ***, but no credentials have been configured

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.166

Expected Behavior

The CDK CLI should prompt for a MFA code when a profile that requires MFA is set in the AWS_PROFILE envar

Current Behavior

The CDK CLI is unable to prompt because it does not have a MFA callback handler:

[09:49:12] Resolving default credentials
[09:49:12] Unable to determine the default AWS account (CredentialsProviderError): Profile *** requires multi-factor authentication, but no MFA code callback was provided.

Reproduction Steps

in ~/.aws/.config, create a profile that requires MFA

[profile mfa-test]
duration_seconds = 43200
mfa_serial = arn:aws:iam::***:mfa/***
output = json
region = us-east-1
role_arn = arn:aws:iam::***:role/***
source_profile = ***

then export that profile to the AWS_PROFILE envar

> export AWS_PROFILE=mfa-test

now run any cdk command that performs AWS calls:

> cdk bootstrap
 ⏳  Bootstrapping environment aws://***/us-east-1...
 ❌  Environment aws://***/us-east-1 failed bootstrapping: Error: Need to perform AWS calls for account ***, but no credentials have been configured

Possible Solution

No response

Additional Information/Context

passing the --profile argument to the CDK CLI does prompt for MFA credentials

> cdk bootstrap --profile=infra
MFA token for arn:aws:iam::***:mfa/***:

The logs when using --profile

[10:29:07] Resolving default credentials
[10:29:07] Require MFA token for serial ARN arn:aws:iam::***:mfa/***

vs. logs when using AWS_PROFILE

[09:49:12] Resolving default credentials
[09:49:12] Unable to determine the default AWS account (CredentialsProviderError): Profile *** requires multi-factor authentication, but no MFA code callback was provided.

when using AWS_PROFILE the log message does identify the correct profile

CDK CLI Version

2.171.0 (build 4957967)

Framework Version

No response

Node.js Version

v20.12.2

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

Labels

bugThis issue is a bug.effort/smallSmall work item – less than a day of effortp0package/toolsRelated to AWS CDK Tools or CLIpotential-regressionMarking this issue as a potential regression to be checked by team member

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions