Bug 1294850 - [RFE] Support for AWS Multi Factor Authentication
[RFE] Support for AWS Multi Factor Authentication
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Providers (Show other bugs)
All Linux
medium Severity medium
: GA
: cfme-future
Assigned To: John Hardy
Dave Johnson
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-12-30 12:05 EST by Lester Claudio
Modified: 2017-08-28 11:00 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-28 11:00:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lester Claudio 2015-12-30 12:05:48 EST
Description of problem:
This might be more of an RFE but we need it for a current customer.
Our customer wants to configure their CFME appliance to authenticate with Amazon using the Multi-Factor Authentication.

Currently the CFME appliance supports AWS login using the AWS access_key_id and secret_access_key.  As an additional layer of protection on top of your user name and password the customer wants Cloudforms UI login to support AWS Multi-Factor Authentication (MFA).

Version-Release number of selected component (if applicable):
We have tried this on the latest CFME 3.2 (EVM Version 5.3) and 4.0 release (EVM Version

How reproducible:
Always reproducible

Steps to Reproduce:

Configure the CFME appliance as follows:
1 - Login as admin
2 - Navigate to Configure > Configuration
3 - Select and expand the Settings option on the left pane
4 - Select the UI appliance
5 - Select Authentication TAB in the Settings page
6 - Select Amazon in the mode drop down.
7 - Add the AWS root access_key_id and secret_access_key credentials, click on the "Get User Groups from Amazon". 
8 - Validate the credentials
9 - Save the configuration
10 - Select and expand the Access Control option in the left pane.
11 - Add a AWS defined group and select the role. For test use the super user role.
12 - Save the group.

Actual results:
You can actually login in using a defined IAM user by using the AWS access key and secret access key. The user will be added to the users in Cloudforms.  The issue is that the CFME UI never asked for the MFA token. 

Expected results:
The UI should have a MFA option in the Amazon Authentication mode and the UI should ask for the MFA token before allowing access to Cloudforms.

Additional info:
Comment 6 Greg Blomquist 2016-02-19 15:37:02 EST
Lester, I'm not sure how we would make this type of feature work.

Currently, the user enters their credentials once for the provider.  And, we use that repeatedly numerous times when performing any number of operations against AWS.  Including situations where the ManageIQ service requesting access to AWS is a background service that the user would never see.  A good example here is Metrics Collection which runs as a scheduled task and requires authentication to AWS to collect details from CloudWatch.

I would think that to make a Multi-Factor Auth solution useful, the user would have to enter their MFA token every time ManageIQ wanted to authenticate with AWS.  However, in the case of backgrounded services (like metrics collection), that doesn't seem feasible.

Let me know if I'm misunderstanding this request.
Comment 9 Chris Pelland 2017-08-28 11:00:58 EDT
This bug has been open for more than a year and is assigned to an older release of CloudForms. 
If you would like to keep this Bugzilla open and if the issue is still present in the latest version of the product, please file a new Bugzilla which will be added and assigned to the latest release of CloudForms.

Note You need to log in before you can comment on or make changes to this bug.