MFA/2fa support. #184
Comments
|
@seivan, Thank you for your question. May I know why assuming a role with this action doesn't work for you? |
|
@paragbhingre Does that allow for external confirmation via 2FA? It just seems like it uses a set of credentials to get access to another set of credentials where the only redeeming factor is the time-limit so they're temporary, which has value, but not exactly 2FA. Would be nice if we could use a virtual MFA (say Google Authenticator) before the steps as an input using something like https://github.com/peter-evans/slash-command-dispatch |
|
@seivan can you describe the kind of user experience you're looking for here? We envision this action executing in workflows driven by programmatic events (e.g., pushes to a repo), which don't typically require or lend themselves well human intervention (like entering a 2FA code), but I could be missing something? |
No, you got it right! 👍🏼 That's exactly what am looking for. With the recent issues, I would say it's time to enable and promote 2FA for letting the CI access your AWS account that enables it to modify or create resources. The part I disagree with it is human intervention does not lend itself, there is several aspects in a deployment pipeline you might want a human to approve or review changes to resources, like a canary to production. |
@seivan I agree with this! Manual approvals in a pipeline, etc., make perfect sense in lots of situations. But MFA is typically used as an extra layer of security for human users authenticating via a web portal, so I'm having trouble picturing what actions your GitHub workflow may need to take which would require it. Are you perhaps trying to assume a role which requires MFA? It that case we could potentially provide |
|
@allisaurus Adding 2FA as a step before the CI can assume said role makes those keys worthless as the human component is missing.
And the opposite is true; there is no situation where a CI should create/deploy production without a one time 2FA auth token generated by a human with a secure device, if that's virtual (iPhone, e.g Google Authenticator.app ) or physical hardware, is a different topic, we use virtual. Right now we have to keep updating Github Organization secrets each time with our OTP everytime we want to deploy, which is cumbersome and error prone. |
|
Adding a more general take on this issue (feel free to ignore if it derails the conversation). If an organization wants/needs another layer of security to limit the impact of the exposure of IAM user access keys is there an approach that would work with Github Actions? Are there any other options? |
|
@dtlaycock Yeah, run it on your own hardware that you control and host your keys on SSM. My concern is mostly if tokens get exposed somewhere (logs, etc) becomes moot as they are essentially worthless on their own. |
|
@seivan there's a couple things going on here, but to go back to your original question:
Which "workflow input features" are you referring to specifically? My information may be dated, but as far as I'm aware the only way to supply a GitHub action with inputs is via named input fields. Through what means do you want to be prompted for and supply a 2fa code? |
|
@allisaurus That's up to you. There are several options, though some require Github Enterprise You could start with https://github.com/peter-evans/slash-command-dispatch and eventually integrate it with Slack or Discord to get prompted to input a token. I apologize, I think you mentioned something earlier and I must have missed it!
This could actually be useful, if you could use the AWS CLI with just |
So directly integrating with or taking a dependency on a third party (non-Amazon) action is something I don't foresee us being able to do, but we can take a look at what other options native to GitHub actions we might be able to leverage or recommend to users. To @dtlaycock 's point, I think we do lack explicit guidance on how workflow authors might further lock down this action (or others), and that's a more general gap we should try to address. Switching the label on this to a feature request as adding support for |
allisaurus
added
feature-request
|
@allisaurus I am not asking AWS to use a third party action. That was just an example on how to provide the generated token. Correct me if I am wrong, but as of now there is no way to supply a generated token to AWS without modifying env variables? Am I wrong? This is a security issue more than anything, because expecting to give CRUD access to a CI with tokens that can be used if exposed is somewhat dangerous. I don't mind exposing burnable one time for a specific moment in time, but having them set permanently for production environment is a bit much.
Yes, this is what I am asking for. The ability to supply them outside of hard coded env variables, the third party action (or slack/discord approach) where just examples. I hope that's clear! |
|
I just want to voice my support for this feature request and hope someone is able to get this working as our team is facing the same problem (and organizational requirements) |
|
I came across this requirement today also and I agree that adding support for SerialNumber and TokenCode inputs is probably the best approach. |
|
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
closing-soon
peterwoodworth
added
p2
effort/medium
|
I just wanted to share this in case it helps. You can use https://github.com/step-security/wait-for-secrets GitHub Action to enter MFA tokens during a GitHub Actions workflow. Developers can enter secrets using a web browser and use them in the workflow. |
|
I am also interested in this implemented. My case is when calling GitHub action from third party app via |
Is there any way to use the new workflow input features to request for a 2fa code when getting temporary credentials and put them in during the steps?
The text was updated successfully, but these errors were encountered: