kOps & MFA

You can secure kops with MFA by creating an AWS role & policy that requires MFA to access to the KOPS_STATE_STORE bucket. Unfortunately the Go AWS SDK does not transparently support assuming roles with required MFA. This may change in a future version. kops plans to support this behavior eventually. You can track progress in this Github issue. If you’d like to use MFA with kops, you’ll need a work around until then.

The Workaround #1

The work around uses aws sts assume-role in combination with an MFA prompt to retrieve temporary AWS access keys. This provides AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables which are automatically picked up by Go AWS SDK. You provide the MFA & Role ARNs, then invoke kops.

Here’s an example wrapper script:

  1. #!/usr/bin/env bash
  3. set -euo pipefail
  5. main() {
  6.     local role_arn="${KOPS_MFA_ROLE_ARN:-}"
  7.     local serial_number="${KOPS_MFA_ARN:-}"
  8.     local token_code
  10.     if [ -z "${role_arn}" ]; then
  11.         echo "Set the KOPS_MFA_ROLE_ARN environment variable" 1>&2
  12.         return 1
  13.     fi
  15.     if [ -z "${serial_number}" ]; then
  16.         echo "Set the KOPS_MFA_ARN environment variable" 1>&2
  17.         return 1
  18.     fi
  20.     echo -n "Enter MFA Code: "
  21.     read -s token_code
  23.     # NOTE: The keys should not be exported as AWS_ACCESS_KEY_ID
  24.     # or AWS_SECRET_ACCESS_KEY_ID. This will not work. They
  25.     # should be exported as other names which can be used below. This prevents
  26.     # them from incorrectly being picked up from libraries or commands.
  27.     temporary_credentials="$(aws \
  28.         sts assume-role \
  29.         --role-arn="${role_arn}" \
  30.         --serial-number="${serial_number}" \
  31.         --token-code="${token_code}" \
  32.         --role-session-name="kops-access"
  33.     )"
  35.     unset AWS_PROFILE
  37.     export "AWS_ACCESS_KEY_ID=$(echo "${temporary_credentials}" | jq -re '.Credentials.AccessKeyId')"
  38.     export "AWS_SECRET_ACCESS_KEY=$(echo "${temporary_credentials}" | jq -re '.Credentials.SecretAccessKey')"
  39.     export "AWS_SESSION_TOKEN=$(echo "${temporary_credentials}" | jq -re '.Credentials.SessionToken')"
  41.     exec kops "$@"
  42. }
  44. main "$@"

Usage

Download the script as kops-mfa, make it executable, put it on $PATH, set the KOPS_MFA_ARN and KOPS_MFA_ROLE_ARN environment variables. Run as kops-mfa followed by any kops command.

The Workaround #2

Use awsudo to generate temp credentials. This is similar to previous but shorter:

  1. pip install awsudo
  2. env $(awsudo ${AWS_PROFILE} | grep AWS | xargs) kops ...

The Workaround #3

Use aws-vault to generate temp session credentials. After setting up aws-vault, use alias for kops command. This way terminal will ask for MFA each time the credential session is expired. Commands would be:

  1. AWS_PROFILE=sandbox
  2. aws-vault add $AWS_PROFILE
  3. alias kops="aws-vault exec ${AWS_PROFILE} -- kops"