Cannot use dotnet lambda with MFA enabled

[madmox]

Describe the bug

I have MFA enabled and required for my IAM user and assumable IAM role, and the appropriate config/credentials file for AWS CLI. I can successfully use the AWS CLI and the SAM CLI (meaning I am prompted for an MFA code and the commands succeed), but the Amazon.Lambda.Tools CLI commands fail to execute and do not even prompt me for an MFA token.

Expected Behavior

dotnet lambda xxx should prompt for the MFA token and successfully execute.

Current Behavior

dotnet lambda xxx does not prompt for the MFA token and fails with the following error:

Amazon Lambda Tools for .NET Core applications (5.4.5)
Project Home: https://github.com/aws/aws-extensions-for-dotnet-cli, https://github.com/aws/aws-lambda-dotnet

<some error message contextual to the command>: Unable to get IAM security credentials from EC2 Instance Metadata Service.

Reproduction Steps

AWS credentials file:

[default]
aws_access_key_id = <aws_access_key_id>
aws_secret_access_key = <aws_secret_access_key>

AWS config file:

[default]
region = eu-west-3
output = json
role_arn = arn:aws:iam::<accountid>:role/<rolename>
source_profile = default
mfa_serial = arn:aws:iam::<accountid>:mfa/<username>

IAM role permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

IAM role trust relationships:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<accountid>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:multifactorAuthPresent": "true"
                }
            }
        }
    ]
}

Failing command:

Any dotnet lambda command involving an API call to AWS, such as:

dotnet lambda invoke-function <redacted>

Targeted .NET platform

.NET 6

CLI extension version

amazon.lambda.tools 5.4.5 dotnet-lambda

Environment details (OS name and version, etc.)

Windows 11

[ashishdhingra]

MFA support was added in version 3.3.0 as per #31 (comment), as part of commit 1dbccff. This needs reproduction.

[ashishdhingra]

Hi @madmox,

Good afternoon.

Somehow I'm unable to reproduce the issue. Below are the steps I followed:

1. Followed instructions at Using multi-factor authentication (MFA) to setup:
   • IAM role to delegate access to IAM users. (added list lambda permissions for reproduction)
   • Creating an IAM user that assumes the role's permissions.
     • Create the IAM user
     • Policy to allow the IAM user to assume the role
     • Virtual MFA device for the IAM user.
     • Creating profiles to allow MFA.

My credentials file looks like below:

[test-mfa-user]
aws_access_key_id = <<removed>>
aws_secret_access_key = <<removed>>

[mfa]
source_profile = test-mfa-user
role_arn = arn:aws:iam::<<account-id-removed>>:role/test-mfa-role
mfa_serial = arn:aws:iam::<<account-id-removed>>:mfa/test-mfa-user

2. Installed/updated to the latest version AWS Extensions for .NET CLI Lambda tools using command dotnet tool update -g Amazon.Lambda.Tools
3. From command prompt, executed the command dotnet lambda list-functions --profile mfa. Kindly note the use of profile named mfa setup previously.

It did prompt me for the MFA code (refer attached screenshot).

Thanks,
Ashish

[madmox]

It looks like I messed up my credentials / config file by using the same profile for both the profile with persistent credentials and the profile with the role and MFA config:

credentials

[mfa]
aws_access_key_id = <aws_access_key_id>
aws_secret_access_key = <aws_secret_access_key>

config

[profile mfa]
source_profile = mfa
role_arn = arn:aws:iam::<accountid>:role/<rolename>
mfa_serial = arn:aws:iam::<accountid>:mfa/<username>

If I change my config file like this (merged both files in credentials for clarity):

[mfa]
source_profile = mfa-user
role_arn = arn:aws:iam::<accountid>:role/<rolename>
mfa_serial = arn:aws:iam::<accountid>:mfa/<username>

[mfa-user]
aws_access_key_id = <aws_access_key_id>
aws_secret_access_key = <aws_secret_access_key>

Then it works OK. I don't know why my previous configuration was supported by the standard AWS CLI though.

A few non-blocking issues remain:

• The region selection algorithm is different between dotnet CLI and AWS CLI:
  • The AWS CLI uses the region defined in the mfa profile.
  • The dotnet CLI uses the region defined in the mfa-user profile, and defaults to the region defined in the default profile in case none is defined. It completely ignores the region defined in the mfa profile.
• It looks like the credentials are not being cached by the dotnet CLI, meaning I have to reenter the MFA token each time I execute a command. Is there a way to enable credentials caching like it is done by default with the AWS CLI?
• If I store all my config in the config file instead of the credentials file, I get an error Error calling AssumeRole for role xxx after the MFA prompt (although it works with the AWS CLI):

[profile mfa]
source_profile = mfa-user
role_arn = arn:aws:iam::<accountid>:role/<rolename>
mfa_serial = arn:aws:iam::<accountid>:mfa/<username>

[profile mfa-user]
aws_access_key_id = <aws_access_key_id>
aws_secret_access_key = <aws_secret_access_key>

> dotnet lambda list-functions --profile "mfa"
Amazon Lambda Tools for .NET Core applications (5.4.5)
Project Home: https://github.com/aws/aws-extensions-for-dotnet-cli, https://github.com/aws/aws-lambda-dotnet

Enter MFA code for arn:aws:iam::<removed>:mfa/<removed>: ******
Error listing Lambda functions: Error calling AssumeRole for role arn:aws:iam::<removed>:role/<removed>