Red Hat Bugzilla – Bug 1294850
[RFE] Support for AWS Multi Factor Authentication
Last modified: 2017-08-28 11:00:58 EDT
Description of problem:
This might be more of an RFE but we need it for a current customer.
Our customer wants to configure their CFME appliance to authenticate with Amazon using the Multi-Factor Authentication.
Currently the CFME appliance supports AWS login using the AWS access_key_id and secret_access_key. As an additional layer of protection on top of your user name and password the customer wants Cloudforms UI login to support AWS Multi-Factor Authentication (MFA).
Version-Release number of selected component (if applicable):
We have tried this on the latest CFME 3.2 (EVM Version 5.3) and 4.0 release (EVM Version 18.104.22.168.20151201120956_653c0d4)
Steps to Reproduce:
Configure the CFME appliance as follows:
1 - Login as admin
2 - Navigate to Configure > Configuration
3 - Select and expand the Settings option on the left pane
4 - Select the UI appliance
5 - Select Authentication TAB in the Settings page
6 - Select Amazon in the mode drop down.
7 - Add the AWS root access_key_id and secret_access_key credentials, click on the "Get User Groups from Amazon".
8 - Validate the credentials
9 - Save the configuration
10 - Select and expand the Access Control option in the left pane.
11 - Add a AWS defined group and select the role. For test use the super user role.
12 - Save the group.
You can actually login in using a defined IAM user by using the AWS access key and secret access key. The user will be added to the users in Cloudforms. The issue is that the CFME UI never asked for the MFA token.
The UI should have a MFA option in the Amazon Authentication mode and the UI should ask for the MFA token before allowing access to Cloudforms.
Lester, I'm not sure how we would make this type of feature work.
Currently, the user enters their credentials once for the provider. And, we use that repeatedly numerous times when performing any number of operations against AWS. Including situations where the ManageIQ service requesting access to AWS is a background service that the user would never see. A good example here is Metrics Collection which runs as a scheduled task and requires authentication to AWS to collect details from CloudWatch.
I would think that to make a Multi-Factor Auth solution useful, the user would have to enter their MFA token every time ManageIQ wanted to authenticate with AWS. However, in the case of backgrounded services (like metrics collection), that doesn't seem feasible.
Let me know if I'm misunderstanding this request.
This bug has been open for more than a year and is assigned to an older release of CloudForms.
If you would like to keep this Bugzilla open and if the issue is still present in the latest version of the product, please file a new Bugzilla which will be added and assigned to the latest release of CloudForms.