I'm trying to use AWS Secrets Manager from ASP.NET Core app. I use AWSSecretsManagerConfigurationExtensions (but this actually doesn't matter).
The code is below. The problem is, my profile has an MFA set up (i.e. there's mfa_serial in my .aws/credentials file.
So when the code below runs, I get the exception:
Amazon.Runtime.AmazonClientException: Error calling AssumeRole for role arn:aws:iam::***:role/Admin
---> System.InvalidOperationException: The MfaSerialNumber has been set but the MfaTokenCodeCallback hasn't. MfaTokenCodeCallback is required in order to determine the MfaTokenCode when MfaSerialNumber is set.
I guess, that's expected that it's asking for MfaToken, but where should I enter it?
I run it in both Rider and VisualStudio (with AWS Toolkit extension installed in both of them), but it didn't help.
Am I doing something wrong/
var chain = new Amazon.Runtime.CredentialManagement.CredentialProfileStoreChain();
if (chain.TryGetProfile("PROFILE_NAME", out var profile))
{
var credentials = profile.GetAWSCredentials(profile.CredentialProfileStore);
builder.Configuration.AddSecretsManager(credentials, profile.Region);
}
It seems, that one have to manually assign the MfaTokenCodeCallback and request the MFA there.
So, continuing from the code above:
var credentials = profile.GetAWSCredentials(profile.CredentialProfileStore);
if (credentials is AssumeRoleAWSCredentials assumeRoleAwsCredentials) {
assumeRoleAwsCredentials.Options.MfaTokenCodeCallback = () =>
{
Console.WriteLine(
$"Please enter MFA code for {assumeRoleAwsCredentials.Options.MfaSerialNumber}:"
);
var result = Console.ReadLine();
return result;
};
}
After that calling credentials.GetCredentials() shows the MFA request in console and succeeds if the entered code is correct