Knife-ec2 and aws multi-account role switching


#1

Hello out there.

I am trying to configure a new ChefDK server that will be able to access our main AWS account for user authentication, and then be able to switch to different IAM roles that are used and tied to separate accounts.

Essentially what we have is a centralized account for all user accounts that must be logged into first to gain access. Once authenticated we then use Role Switching to access the different AWS Accounts(environments).

On my DK server I have the knife-ec2 gem installed and configured and can run commands successfully against the Chef server directly.

[tony.elliott@ip-10-8-4-27 chef-repo] knife role list test [tony.elliott@ip-10-8-4-27 chef-repo]

I am able to use the awscli to retrieve data from AWS with role switching and MFA active.

I have configured the following in my knife.rb file:

[default]
output = json
region = us-west-2

[profile tony.elliott]
region = us-west-2
output = json

[profile staging]
region = us-west-2
source_profile = tony.elliott
role_arn = ROLEARN
mfa_serial = MFASERIAL

When trying to switch to the staging role I receive the following error:

[tony.elliott@ip-10-8-4-27 chef-repo] knife ec2 server list --aws-profile staging ERROR: ArgumentError: The provided --aws-profile 'staging' is invalid. [tony.elliott@ip-10-8-4-27 chef-repo]

When using my named profile that does not involve cross account role switching I get the expected results.

Has anyone out there been able to use knife-ec2 with multi-account role switching to deploy and configure into multiple environments?


#2

I haven’t used knife-ec2 with it, but you could try the following tool to use MFA with tools that don’t support it natively: https://github.com/broamski/aws-mfa

It works by having a ‘long-term’ profile with your regular long term AWS keys, and it will generate a new profile for you to use when you run the ‘aws-mfa’ command and enter your MFA token. The tool also claims to support switching roles when you run it, but that isn’t something I’ve tried and I don’t see anything equivalent to ‘source_profile’ when using this tool. Hopefully it will work well enough for your use though.


#3

Thank you for your help on this and pointing me to aws-mfa. I was able to configure that on my CDK server and was able to authenticate and retrieve data from the delegated account.