问题
I created a new policy to enforce IAM user to setup MFA using the policy in this link https://docs.aws.amazon.com/en_pv/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
Now the IAM user has AdministratorAccess
already..so now with applying this force MFA policy now the user has 2 policies attached. The AWS managed policy AdministratorAccess
and the new Managed policy i created Force_MFA
now when i try to run ansible iwth module https://docs.ansible.com/ansible/latest/modules/sts_assume_role_module.html that normally worked before attaching the Force_MFA
policy now i get error that says i can not assume role of other accounts.
When i remove the Force_MFA
policy then it works again.
Where is the problem coming from. Is this issue with the policy or with ansible? Is this Force_MFA
policy not working as expected? It supposed to let me do other things if MFA is enabled but in asnible it does not but in GUI i can switch roles and it works fine. Just that ansible playbooks now fail and complain i cant assume role.
Mind you i already enabled MFA for this IAM user and i can assume and switch accounts in dashboard BUT when i try to do that in ansible i get boto error saying i can not assume role
Any help will be appreciated.
If you need to post anything to help let me know and i will post.
回答1:
According to comment made by @Zeitounator i add to add mfa_serial_number
and mfa_token
options as required for the sts_assume_role
here
worked after that
来源:https://stackoverflow.com/questions/58349939/unable-to-assume-role-after-enforcing-mfa-policy