lookup mfa_serial in source_profile section if not found in specified profile

Mike Morris · Mike Morris · commit 1b8f1b1d3fb0 · 2017-10-01T11:15:55.000-05:00
Attempt to look up the mfa_serial in source_profile if not found in the provided
profile.  Allows us to simplify the config file a bit at the expense of full
compatibility with awscli (AWS SDKs in general?)

Updated README with example on how this works
diff --git a/AWSConfigParser.go b/AWSConfigParser.go
@@ -17,9 +17,26 @@ type AWSConfigParser struct {
 	Logger *logo.Logger
 }
 
+func (p *AWSConfigParser) lookupProfile(profile *string, cfg *ini.File) (*AWSProfile, error) {
+	p.Logger.Debug("In lookupProfile()")
+	section := "default"
+
+	if *profile != "default" {
+		section = "profile " + *profile
+	}
+
+	p.Logger.Debugf("Looking for profile data in section: '%s'", section)
+	profile_t := &AWSProfile{SourceProfile: *profile}
+	err := cfg.Section(section).MapTo(profile_t)
+	if err != nil {
+		return nil, err
+	}
+
+	return profile_t, nil
+}
+
 func (p *AWSConfigParser) GetProfile(profile *string) (*AWSProfile, error) {
 	p.Logger.Debug("In GetProfile()")
-	section := "default"
 
 	cfg, err := p._readConfig()
 	if err != nil {
@@ -28,17 +45,21 @@ func (p *AWSConfigParser) GetProfile(profile *string) (*AWSProfile, error) {
 
 	cfg.BlockMode = false
 
-	if *profile != "default" {
-		section = "profile " + *profile
-	}
-
-	p.Logger.Debugf("Looking for profile data in section: '%s'", section)
-	profile_t := &AWSProfile{SourceProfile: *profile}
-	err = cfg.Section(section).MapTo(profile_t)
+	profile_t, err := p.lookupProfile(profile, cfg)
 	if err != nil {
 		return nil, err
 	}
 
+	if len(profile_t.MfaSerial) < 1 && *profile != profile_t.SourceProfile {
+		p.Logger.Debug("No mfa_serial config found in profile, checking source_profile")
+		src_profile_t, err := p.lookupProfile(&profile_t.SourceProfile, cfg)
+		if err == nil {
+			profile_t.MfaSerial = src_profile_t.MfaSerial
+		} else {
+			p.Logger.Debugf("Ignoring error while looking up source_profile info: %+v", err)
+		}
+	}
+
 	p.Logger.Debugf("PROFILE: %+v", *profile_t)
 	return profile_t, nil
 }
diff --git a/README.md b/README.md
@@ -45,19 +45,31 @@ Pre-compiled binaries for various platforms can be downloaded [here](https://git
 ## Configuration
 
 To configure a profile in the .aws/config file for using AssumeRole, make sure the `source_profile` and `role_arn` attributes are
-set for the profile.  The `role_arn` attribute will determine which role will be assumed for that profile.  The `source_profile`
-attribute specifies the name of the profile which will be used to perform the GetSessionToken operation.
+set for the desired profile.  The `role_arn` attribute will determine which role to assume for that profile.  The `source_profile`
+attribute specifies the name of the profile which will be used to perform the GetSessionToken operation.  If you wish to supply an MFA
+code when doing the GetSessionToken call, you **MUST** specify the `mfa_serial` attribute in the profile referenced by `source_profile`
 
 If the `mfa_serial` attribute is present in the profile configuration, That MFA device will be used when requesting or refreshing
-the session token.
+the session token.  If the attribute is not found in the profile configuration, the program will attempt to find it in the section
+referenced by `source_profile`, in an attempt to simplify the config file.  (NOTE: this is a non-standard configuration, and may break
+other tools which require the mfa_serial attribute inside the profile config to make the AssumeRole API call, [ex: awscli])
 
-Example:
+Example (compatible with awscli `--profile` option):
 
     [profile admin]
     source_profile = default
     role_arn = arn:aws:iam::987654321098:role/admin_role
     mfa_serial = arn:aws:iam::123456789098:mfa/iam_user
 
+Example (NOT compatible with awscli `--profile` option, if MFA requred for AssumeRole):
+
+    [default]
+    mfa_serial = arn:aws:iam::123456789098:mfa/iam_user
+
+    [profile admin]
+    source_profile = default
+    role_arn = arn:aws:iam::987654321098:role/admin_role
+
 ### Required AWS permissions
 
 The user's credentials used by this program will need access to call the following AWS APIs to function:
diff --git a/RoleGetter.go b/RoleGetter.go
@@ -3,8 +3,8 @@ package main
 import (
 	"encoding/json"
 	"github.com/aws/aws-sdk-go/service/iam"
-	"net/url"
 	"github.com/mbndr/logo"
+	"net/url"
 )
 
 type RoleGetter interface {

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,8 @@ package main`
`3`	`3`	`import (`
`4`	`4`	`"encoding/json"`
`5`	`5`	`"github.com/aws/aws-sdk-go/service/iam"`
`6`		`- "net/url"`
`7`	`6`	`"github.com/mbndr/logo"`
	`7`	`+ "net/url"`
`8`	`8`	`)`
`9`	`9`
`10`	`10`	`type RoleGetter interface {`