Not authorized to perform sts:AssumeRole when MFA times out
Opened this issue · 3 comments
Describe the bug
When you have a role that requires MFA, that is assumed from another account, when the MFA session expires Leapp can no longer connect and gives the following error:
User: <PARENT ACCOUNT USER> is not authorized to perform sts:AssumeRole on resource <ASSUME ROLE>
Leapp Version
0.18.1
To Reproduce
Steps to reproduce the behavior:
- Create two AWS accounts - I'll call them parent and child
- Add MFA to your root account
- Create a role in your child account with the following policy (below)
- Setup accounts in Leapp.
- Assume into the child account via Leapp
- You should be prompted for MFA
- Wait for 2 hours
- Try to reconnect to the child account via Leapp
- See the error above.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}Expected behavior
I should be allowed to reconnect to the assume role as I have permission.
I believe this is an issue with the session not being correctly cleared or reprompting for MFA.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
- OS: [e.g. iOS] MacOS Ventura
- OS Version [e.g. 22] 13.6
- Leapp Version [e.g. 0.2.5] 0.18.1
Additional context
Thanks for the great software! I recommend it all the time :) ✌️
Thanks for reporting the issue Josh!
I think it's a problem related to the caching of the MFA session.
Have you tried to update the App to the last version?
@andreacavagna01 yes, just tested with the latest version and it's still an issue. Version 0.23.0
Thanks for testing! The problem is clear; surely is a bug in the caching system, thanks for the enhancement