cloudformation-cli icon indicating copy to clipboard operation
cloudformation-cli copied to clipboard
verified publisher icon aws-cloudformation

Limitations when using get_session_token

Open kddejong opened this issue 5 years ago • 1 comments

Currently when doing a test the code will use get_session_token when an execution role isn't provided or the credential chain being used doesn't have a session token. https://github.com/aws-cloudformation/cloudformation-cli/blob/1d32b070d26cf6c8d17b03dc06190c08d5c9444b/src/rpdk/core/boto_helpers.py#L67

The get_session_token will return back credentials that have a few exceptions.

    You cannot call any IAM API operations unless MFA authentication information is included in the request.
    You cannot call any STS API except AssumeRole or GetCallerIdentity .

The result is if you are testing an IAM resource or using STS in your resource the tests will fail.

The workaround is to use an execution role.

kddejong avatar Sep 17 '20 19:09 kddejong

duplicate of https://github.com/aws-cloudformation/cloudformation-cli/issues/511?

PatMyron avatar Apr 29 '21 18:04 PatMyron