mfa_serial support for user profiles

[outcoldman]

I know that it is currently possible to specify mfa_serial on profiles and cli tool will automatically ask for the MFA token to authenticate when you will make a call under this profile when assume role is used.

Curious is there are any reason not to support mfa on default (source) profile, like to be able to attach this policy to all admin users

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowIfMFAPresent",
            "Effect": "Allow",
            "Resource": "*",
            "Action": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

And after that allow cli tool to use config like

[default]
region = us-west-2
aws_access_key_id = YYY1
aws_secret_access_key = XXX1
mfa_serial = ZZZ1

So in that case I will be able to call

aws s3 ls

And that will ask me for the mfa token if it is expired or has not been set.

[outcoldman]

Started to work on implementation in botocore boto/botocore#1399

[outcoldman]

Also implementation to support cache in aws-clie aws/aws-cli#3174

[outcoldman]

@JordonPhillips I have finished work on mfa token support for aws-cli.
2 pull requests:
aws/aws-cli#3174 (to add cache support)
boto/botocore#1399 (to add mfa support)

Could you please review them? It is very common workflow for folks to use MFA for their environments, and a lot mostly just use their own wrappers on top of awscli, which seems like overkill.

I have installed both botocore and awscli from my branches to my local pip and did verification that fix is working. If there are anything else required to add this fix, please let me know. I will be happy to add.

[stealthycoin]

This doesn't need both an issue and a PR. Lets keep the discussion in the Pull Request.

[stealthycoin]

Our team just put out a recent proposal in aws/aws-cli#6828 detailing improvements to the contribution process. We are working through open PRs and issues. This is a popular feature request that has a couple of open PRs: aws/aws-cli#3174, boto/botocore#1399.

This feature effects credential loading and so it will need a design to be reviewed and approved before any work on a PR can start. I will be marking this feature request as blocked in accordance with the new process, pending a design outline in this issue.

[tim-finnigan]

Regarding this point mentioned earlier:

This feature effects credential loading and so it will need a design to be reviewed and approved before any work on a PR can start. I will be marking this feature request as blocked in accordance with the new process, pending a design outline in this issue.

The design element of this proposed feature request needs to be considered at a cross-SDK level as it involves user profiles. So I'm going to transfer this issue to our cross-SDK repository for continued tracking going forward. We encourage others to 👍 the issue if interested in seeing the feature request implemented, and comment if you have additional use cases or general information to share.

[tb3088]

So, heat-death of the universe before you guys merge a dozen line fix authored 5 years ago? This is NOT HARD. The other API languages the changes are probably almost identical to the Boto version.

Forcing users to write their own 'assum-role|session' wrapper scripts is just insane.
It's mighty tempting to just fork and build my own CLI binary.