Allow users to assume MFA device is already configured #68
Conversation
|
Testing: go run ./cmd/ setup --iam-user cgilmer-delete-me --iam-role engineer --aws-profile delete-id --aws-account-id REDACTED --no-mfa |
| if len(mfaDeviceOutput.MFADevices) == 0 { | ||
| return errors.New("no MFA devices registered") | ||
| } | ||
| mfaDevice := mfaDeviceOutput.MFADevices[0] |
There was a problem hiding this comment.
Does this mean you're taking the first device? Is it possible to have more than 1? How do you support a user who wants to use an MFA device that isn't the first one?
There was a problem hiding this comment.
I didn't think the setup supported more than one. Now I'm curious.
There was a problem hiding this comment.
Yeah, there's room for several in the api return but in practice I've never ever seen more than one. I assume it's some kind of internal tooling where they can provision a new one while the old one is being deprovisioned.
Regardless, I think it's a difficult user experience to try to figure out which one the user wants to select given the output of the API. So it's probably safe to assume the first one is the right one and all other edge cases will not be handled.
There was a problem hiding this comment.
For safety I added in an error if more than one is returned.
This was a useful modification for MilMove where new credentials were provided after the MFA was already set up. Passing the flag
--no-mfawill retrieve the existing MFA serial number instead of creating and enabling a new device.Pivotal Story:
Notes: This could possibly be a separate subcommand like
setup-new-aws-user update-credsbut for now it feels better to keep things simplified until we know more about the workflow around setting up accounts.