Support using MFA devices for AWS CLI commands

[toricls]

This PR implements MFA support for AWS CLI commands and closes #27 🚀

It reads the AWS CLI configuration (by aws configure get mfa_serial) to detect if it needs an MFA code to proceed. The script also accepts an environment variable AWS_MFA_SERIAL to set the ARN of the MFA device, instead of the AWS CLI configuration.

Try it with AWS_PROFILE=<your-profile-here> bash <( curl -Ls https://raw.github.com/toricls/amazon-ecs-exec-checker/support-mfa/check-ecs-exec.sh ) <ecs-cluster-name> <ecs-task-id>.

[deleugpn]

I'm not sure if I'm missing something

sh-4.2# AWS_PROFILE=customergauge_dta sh check-ecs-exec.sh Fargate 95c18c8a48e847dc94cdab124302e191
-------------------------------------------------------------
Prerequisites for check-ecs-exec.sh v0.5
-------------------------------------------------------------
  jq      | OK (/usr/bin/jq)
  AWS CLI | OK (/usr/local/bin/aws)

Type your MFA code from "arn:aws:iam::############:mfa/marco.deleu": 00000
Enter MFA code for arn:aws:iam::############:mfa/marco.deleu:

An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

Notice how I got asked twice, the first one numbers are visible and the 2nd one they're not.

[toricls]

Thanks @deleugpn for checking!

I'm still not sure about the cause of the error, but could you run that again with the following command to make sure you're using the latest script?

AWS_PROFILE=customergauge_dta bash <( curl -Ls https://raw.github.com/toricls/amazon-ecs-exec-checker/support-mfa/check-ecs-exec.sh ) Fargate 95c18c8a48e847dc94cdab124302e191

[deleugpn]

That command seems to be broken for me, so I used that link to download the file and run it

sh-4.2# AWS_PROFILE=customergauge_dta bash <( curl -Ls https://raw.github.com/toricls/amazon-ecs-exec-checker/support-mfa/check-ecs-exec.sh ) Fargate 95c18c8a48e847dc94cdab124302e191
sh: syntax error near unexpected token `('
sh-4.2#
sh-4.2#
sh-4.2# curl https://raw.github.com/toricls/amazon-ecs-exec-checker/support-mfa/check-ecs-exec.sh > check-ecs-exec.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 27104  100 27104    0     0   199k      0 --:--:-- --:--:-- --:--:--  197k
sh-4.2# chmod 777 check-ecs-exec.sh
sh-4.2# AWS_PROFILE=customergauge_dta sh check-ecs-exec.sh Fargate 95c18c8a48e847dc94cdab124302e191
-------------------------------------------------------------
Prerequisites for check-ecs-exec.sh v0.5
-------------------------------------------------------------
  jq      | OK (/usr/bin/jq)
  AWS CLI | OK (/usr/local/bin/aws)

Type your MFA code from "arn:aws:iam::##########:mfa/marco.deleu": 000000
Enter MFA code for arn:aws:iam::::##########:mfa/marco.deleu:

An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

[toricls]

Thank you! I fixed an issue that the script couldn't handle an MFA + AssumeRole case correctly, so hope it works this time! 🙏

[deleugpn]

Awesome! This seems to work great!