Ruby AWS SDK - Using Aws::AssumeRoleCredentials without mfa token
Im getting to grips with AWS authentication and seem to have hit a blank with using Aws::AssumeRoleCredentials object.
Hopefully I'm just misunderstanding if I should even be using it.
I have a successful method of assuming the role when using an mfa token:
# Assume the role referenced in the profile
def assume_role(mfa_token_code = nil)
sts_client = Aws::STS::Client.new(credentials: @user_credentials, region: @user_profile.region)
@role_credentials = sts_client.assume_role(
{
role_arn: @user_profile.role_arn, # required
role_session_name: @session_name, # required
duration_seconds: @duration_seconds,
serial_number: @user_profile.mfa_serial,
token_code: mfa_token_code.to_s
}
)
end
This works fine but requires the mfa token.
I think its is possible to then authenticate again if the session hasn't timed out, without needing to prompt the user for another mfa token, but I'm struggling to find a way to do it.
I'm tinkering around with the AssumeRoleCredentials object in the hope that it is the correct object for this:
def authenticate_as_application_user
begin
@role_credentials = Aws::AssumeRoleCredentials.new(
# client: Aws::STS::Client.new(credentials: @user_credentials, region: @user_profile.region),
duration_seconds: @duration_seconds,
role_arn: @user_profile.role_arn,
role_session_name: 'session-name-xxxxxxxxx'
)
rescue
puts 'Enter MFA code: '
mfa_token_code = gets.chomp
unless mfa_token_code.nil?
assume_role(mfa_token_code)
else
puts('No code supplied, aborting')
end
end
end
No matter what I try this code fails to assume the role with an error:
Access denied
I know from other python tools that I'm using that if I authenticate with an mfa token, and then re run the tool, I'm not prompted again until the original session timeout expires.
What am I doing wrong?
Thanks
ruby amazon-web-services aws-sdk
asked Nov 15 '18 at 18:34
Bradley AtkinsBradley Atkins
7211
add a comment |
Im getting to grips with AWS authentication and seem to have hit a blank with using Aws::AssumeRoleCredentials object.
Hopefully I'm just misunderstanding if I should even be using it.
I have a successful method of assuming the role when using an mfa token:
# Assume the role referenced in the profile
def assume_role(mfa_token_code = nil)
sts_client = Aws::STS::Client.new(credentials: @user_credentials, region: @user_profile.region)
@role_credentials = sts_client.assume_role(
{
role_arn: @user_profile.role_arn, # required
role_session_name: @session_name, # required
duration_seconds: @duration_seconds,
serial_number: @user_profile.mfa_serial,
token_code: mfa_token_code.to_s
}
)
end
This works fine but requires the mfa token.
I think its is possible to then authenticate again if the session hasn't timed out, without needing to prompt the user for another mfa token, but I'm struggling to find a way to do it.
I'm tinkering around with the AssumeRoleCredentials object in the hope that it is the correct object for this:
def authenticate_as_application_user
begin
@role_credentials = Aws::AssumeRoleCredentials.new(
# client: Aws::STS::Client.new(credentials: @user_credentials, region: @user_profile.region),
duration_seconds: @duration_seconds,
role_arn: @user_profile.role_arn,
role_session_name: 'session-name-xxxxxxxxx'
)
rescue
puts 'Enter MFA code: '
mfa_token_code = gets.chomp
unless mfa_token_code.nil?
assume_role(mfa_token_code)
else
puts('No code supplied, aborting')
end
end
end
No matter what I try this code fails to assume the role with an error:
Access denied
I know from other python tools that I'm using that if I authenticate with an mfa token, and then re run the tool, I'm not prompted again until the original session timeout expires.
What am I doing wrong?
Thanks
ruby amazon-web-services aws-sdk
asked Nov 15 '18 at 18:34
Bradley AtkinsBradley Atkins
7211
add a comment |
Im getting to grips with AWS authentication and seem to have hit a blank with using Aws::AssumeRoleCredentials object.
Hopefully I'm just misunderstanding if I should even be using it.
I have a successful method of assuming the role when using an mfa token:
# Assume the role referenced in the profile
def assume_role(mfa_token_code = nil)
sts_client = Aws::STS::Client.new(credentials: @user_credentials, region: @user_profile.region)
@role_credentials = sts_client.assume_role(
{
role_arn: @user_profile.role_arn, # required
role_session_name: @session_name, # required
duration_seconds: @duration_seconds,
serial_number: @user_profile.mfa_serial,
token_code: mfa_token_code.to_s
}
)
end
This works fine but requires the mfa token.
I think its is possible to then authenticate again if the session hasn't timed out, without needing to prompt the user for another mfa token, but I'm struggling to find a way to do it.
I'm tinkering around with the AssumeRoleCredentials object in the hope that it is the correct object for this:
def authenticate_as_application_user
begin
@role_credentials = Aws::AssumeRoleCredentials.new(
# client: Aws::STS::Client.new(credentials: @user_credentials, region: @user_profile.region),
duration_seconds: @duration_seconds,
role_arn: @user_profile.role_arn,
role_session_name: 'session-name-xxxxxxxxx'
)
rescue
puts 'Enter MFA code: '
mfa_token_code = gets.chomp
unless mfa_token_code.nil?
assume_role(mfa_token_code)
else
puts('No code supplied, aborting')
end
end
end
No matter what I try this code fails to assume the role with an error:
Access denied
I know from other python tools that I'm using that if I authenticate with an mfa token, and then re run the tool, I'm not prompted again until the original session timeout expires.
What am I doing wrong?
Thanks
ruby amazon-web-services aws-sdk
asked Nov 15 '18 at 18:34
Bradley AtkinsBradley Atkins
7211
Im getting to grips with AWS authentication and seem to have hit a blank with using Aws::AssumeRoleCredentials object.
Hopefully I'm just misunderstanding if I should even be using it.
I have a successful method of assuming the role when using an mfa token:
# Assume the role referenced in the profile
def assume_role(mfa_token_code = nil)
sts_client = Aws::STS::Client.new(credentials: @user_credentials, region: @user_profile.region)
@role_credentials = sts_client.assume_role(
{
role_arn: @user_profile.role_arn, # required
role_session_name: @session_name, # required
duration_seconds: @duration_seconds,
serial_number: @user_profile.mfa_serial,
token_code: mfa_token_code.to_s
}
)
end
This works fine but requires the mfa token.
I think its is possible to then authenticate again if the session hasn't timed out, without needing to prompt the user for another mfa token, but I'm struggling to find a way to do it.
I'm tinkering around with the AssumeRoleCredentials object in the hope that it is the correct object for this:
def authenticate_as_application_user
begin
@role_credentials = Aws::AssumeRoleCredentials.new(
# client: Aws::STS::Client.new(credentials: @user_credentials, region: @user_profile.region),
duration_seconds: @duration_seconds,
role_arn: @user_profile.role_arn,
role_session_name: 'session-name-xxxxxxxxx'
)
rescue
puts 'Enter MFA code: '
mfa_token_code = gets.chomp
unless mfa_token_code.nil?
assume_role(mfa_token_code)
else
puts('No code supplied, aborting')
end
end
end
No matter what I try this code fails to assume the role with an error:
Access denied
I know from other python tools that I'm using that if I authenticate with an mfa token, and then re run the tool, I'm not prompted again until the original session timeout expires.
What am I doing wrong?
Thanks
ruby amazon-web-services aws-sdk
ruby amazon-web-services aws-sdk
asked Nov 15 '18 at 18:34
Bradley AtkinsBradley Atkins
7211
asked Nov 15 '18 at 18:34
Bradley AtkinsBradley Atkins
7211
asked Nov 15 '18 at 18:34
Bradley AtkinsBradley Atkins
7211
asked Nov 15 '18 at 18:34
Bradley AtkinsBradley Atkins
7211
asked Nov 15 '18 at 18:34
Bradley AtkinsBradley Atkins
7211
7211
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53325878%2fruby-aws-sdk-using-awsassumerolecredentials-without-mfa-token%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53325878%2fruby-aws-sdk-using-awsassumerolecredentials-without-mfa-token%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
