AWS cli plugin is not supporting external otp anymore

hellvinz

Hello!
before the last release of the 1password cli using an external OTP device (a yubikey) was possible for aws accounts with a mfa serial
it's not the case anymore since this commit https://github.com/1Password/shell-plugins/blob/main/plugins/aws/sts_provisioner.go#L218-L221
and not listed in the 2.17.0 release notes https://app-updates.agilebits.com/product_history/CLI2 while it's a breaking change
I think that's reducing the level of security that was available before (and was perfectly working by the way), not storing otp in 1password provide a higher security than having password and second factor in the same place
is it possible to revert that change?
Best
Vincent

---

1Password Version: Not Provided
Extension Version: 2.17.0
OS Version: Not Provided
Browser:_ Not Provided

bradical

Hi Vincent, I think I might be running into the same issue. How exactly do you configure the 1P record to use your Yubikey? Obviously no MFA field. Do you just specify the ARN of the Yubikey in mfa serial?

hellvinz

Hi! like this in .aws/config

[profile iam_main]
credential_process = sh -c 'echo "{\n \"Version\": 1,\n \"AccessKeyId\": \"$(op read "op://Personal/iam_main/access key id")\",\n \"SecretAccessKey\": \"$(op read "op://Personal/iam_main/secret access key")\"\n}" '
[profile production]
role_arn=arn:aws:iam::xxxxxxxxx:role/AdminRole
source_profile=iam_main
mfa_serial = arn:aws:iam::xxxxxxxxxxx:mfa/vincent

andi.t_1P

Hi @hellvinz @bradical , could share the exact error message you are getting. I see that the linked change that you identified has:

// only 1Password OTPs are supported
    if awsConfig.MfaToken != "" || awsConfig.MfaProcess != "" || awsConfig.MfaPromptMethod != "" {
        return fmt.Errorf("only 1Password-backed OTP authentication is supported by the MFA worklfow of the AWS shell plugin")
    }

Are you getting this error message or are you getting: Credential Process Authentication is not yet supported by the AWS Shell Plugin. If you would like for this feature to be supported, upvote or take on its issue: ... ?

bradical

I'll need to try reproduce it again it but it seemed like I was getting an error about a missing ARN or there wasn't a mechanism for registering the physical security key I'm using in AWS within the 1password entry. For now, I've enabled two different types of MFA—one physical security key and the other 1Password OTP.

UPDATE: Here's the error I receive when using the ARN of my physical security key in 1P

[ERROR] 2023/05/26 17:15:26 could not run plugin AWS CLI: failed to provision credentials, encountered error(s):
operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: <REQUEST_ID>, api error AccessDenied: MultiFactorAuthentication failed, unable to validate MFA code.  Please verify your MFA serial number is valid and associated with this user

hellvinz

@andi.t_1P I'm getting this

❯ aws --profile production  s3 ls
? Locate your AWS Access Key: production (Personal)

2023/06/09 11:58:02 Loading config file /Users/vincent/.aws/config
2023/06/09 11:58:02 Parsing config file /Users/vincent/.aws/config
[ERROR] 2023/06/09 11:58:02 could not run plugin AWS CLI: failed to provision credentials, encountered error(s):
MFA failed: an MFA serial was found but no OTP has been set up in 1Password

andi.t_1P

Hi again! Yes, so the main reason of this problem seems to be that for MFA we only support 1Password OTPs. So Yubikey, or other virtual devices are not supported. If the shell plugin detects an MFA serial either in the file or in 1Password it will try to look for an otp field to extract the totp from there.

If I understand correctly, you would like a way in which to use the shell plugin with MFA but with a 3rd party TOTP provider.