When using a simple AWS credentials file like this on Ubuntu Linux with credentials file: ~/.aws/credentials
[leigh.m] # let's call this account ID: 1000 for simplicity
AWS_ACCESS_KEY_ID=some_access_key_id
AWS_SECRET_ACCESS_KEY=some_secret_access_key
AWS Toolkit in VSCode works perfectly and I can access AWS resources via VSCode.
However I need to assume roles cross-accounts (with a source 'root' profile controlling access to the other accounts via roles) which all have MFA set.
My ~/.aws/config file that facilitates this looks like:
[profile my-assumed-role-1] # let's say this has account ID: 2000
role_arn=arn:aws:iam::2000:role/AdminRole
source_profile=leigh.m
role_session_name=my-assumed-role-1-session-name
mfa_serial=arn:aws:iam::1000:mfa/leigh.m
duration_seconds=3600
This setup works perfectly well now and I can assume the role for example via CLI I can list buckets in account 2000 by passing that profile, like: aws s3api list-buckets --profile my-assumed-role-1
However, when I try to access that named profile via AWS Toolkit in VSCode I get the error message in AWS toolkit logs:
Shared Credentials Profile leigh.m is not valid. It will not be used by the toolkit.
Failed to connect with "profile:my-assumed-role-1": Profile leigh.m is not a valid Credential Profile: Profile leigh.m is not supported by the Toolkit.
It appears to be looking for a Profile 'leigh.m', so I have tried adding to ~/.aws/config this section:
[profile leigh.m]
mfa_serial=arn:aws:iam::1000:mfa/leigh.m
region=eu-west-1
output=json
I also tried to not use the config file and place everything in credentials file (as it appears to suggest here: https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/mfa-credentials.html)
But still the same issue. Anything I have missed?
(I did have a look to see if there were any questions already on S/O on correct setup of AWS credentials for AWS Toolkit and MFA (as my AWS credentials and config files work correctly for all other requirements), this was the only question from ~5 years ago: Visual Studio AWS toolkit with multifactor authentication? but did not answer and no questions/ answers on AWS Toolkit, MFA and assuming roles with names profiles)
CodePudding user response:
This is a VSCode AWS Toolkit bug who are releasing a fix for this: https://github.com/aws/aws-toolkit-vscode/issues/2394
Summary: AWS Toolkit only works with lowercase keys, so this will not work:
AWS_ACCESS_KEY_ID=some_access_key_id
AWS_SECRET_ACCESS_KEY=some_secret_access_key
When the fix is released it will work with caps & lowercase, of course in the short term just change credentials file to:
aws_access_key_id=some_access_key_id
aws_secret_access_key=some_secret_access_key
It will work as expected