Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MFA/2fa support. #184

Open
seivan opened this issue Mar 3, 2021 · 18 comments
Open

MFA/2fa support. #184

seivan opened this issue Mar 3, 2021 · 18 comments
Labels
effort/medium This issue will take a few days of effort to fix feature-request A feature should be added or improved. p2

Comments

@seivan
Copy link

seivan commented Mar 3, 2021

Is there any way to use the new workflow input features to request for a 2fa code when getting temporary credentials and put them in during the steps?

@paragbhingre
Copy link
Contributor

@seivan, Thank you for your question. May I know why assuming a role with this action doesn't work for you?

@seivan
Copy link
Author

seivan commented Mar 5, 2021

@paragbhingre Does that allow for external confirmation via 2FA? It just seems like it uses a set of credentials to get access to another set of credentials where the only redeeming factor is the time-limit so they're temporary, which has value, but not exactly 2FA.

Would be nice if we could use a virtual MFA (say Google Authenticator) before the steps as an input using something like https://github.com/peter-evans/slash-command-dispatch

@allisaurus
Copy link
Contributor

@seivan can you describe the kind of user experience you're looking for here? We envision this action executing in workflows driven by programmatic events (e.g., pushes to a repo), which don't typically require or lend themselves well human intervention (like entering a 2FA code), but I could be missing something?

@seivan
Copy link
Author

seivan commented Mar 10, 2021

@seivan can you describe the kind of user experience you're looking for here? We envision this action executing in workflows driven by programmatic events (e.g., pushes to a repo), which don't typically require or lend themselves well human intervention (like entering a 2FA code), but I could be missing something?

No, you got it right! 👍🏼 That's exactly what am looking for.
And I half-agree with you... for every branch except master :-)

With the recent issues, I would say it's time to enable and promote 2FA for letting the CI access your AWS account that enables it to modify or create resources.

The part I disagree with it is human intervention does not lend itself, there is several aspects in a deployment pipeline you might want a human to approve or review changes to resources, like a canary to production.
For Github Enterprise they added Workflow Events that gives you an UI to add input parameters to start Workflows.
But that's not related to the topic at hand

@allisaurus allisaurus self-assigned this Mar 11, 2021
@allisaurus
Copy link
Contributor

allisaurus commented Mar 23, 2021

there is several aspects in a deployment pipeline you might want a human to approve or review changes to resources

@seivan I agree with this! Manual approvals in a pipeline, etc., make perfect sense in lots of situations. But MFA is typically used as an extra layer of security for human users authenticating via a web portal, so I'm having trouble picturing what actions your GitHub workflow may need to take which would require it. Are you perhaps trying to assume a role which requires MFA? It that case we could potentially provide SerialNumber and TokenCode input fields to this action. Would that help, or are you trying to do something different?

@seivan
Copy link
Author

seivan commented Mar 23, 2021

@allisaurus
Let me rephrase it.
As of today with the current setup, if your keys to assume a role that has any form of permission to CRUD your production resources get compromised without you knowing means you are shit out of luck.

Adding 2FA as a step before the CI can assume said role makes those keys worthless as the human component is missing.
The CI has knowledge (token) to assume a role, but it should also require possession to generate a one time token.

make perfect sense in lots of situations.

And the opposite is true; there is no situation where a CI should create/deploy production without a one time 2FA auth token generated by a human with a secure device, if that's virtual (iPhone, e.g Google Authenticator.app ) or physical hardware, is a different topic, we use virtual.

Right now we have to keep updating Github Organization secrets each time with our OTP everytime we want to deploy, which is cumbersome and error prone.

@dtlaycock
Copy link

Adding a more general take on this issue (feel free to ignore if it derails the conversation).

If an organization wants/needs another layer of security to limit the impact of the exposure of IAM user access keys is there an approach that would work with Github Actions?
MFA is problematic as it generally requires a human.
IP address restriction is also challenging given the 1600 IP ranges for Github hosted runners.

Are there any other options?

@seivan
Copy link
Author

seivan commented Mar 23, 2021

@dtlaycock Yeah, run it on your own hardware that you control and host your keys on SSM.
Regardless, the security impact of token loss (feel free to correct me) is nil if it requires human auth. Not saying you can do no wrong, I mean you could obviously auth a hostile user if you don't pay attention.

My concern is mostly if tokens get exposed somewhere (logs, etc) becomes moot as they are essentially worthless on their own.

@allisaurus
Copy link
Contributor

@seivan there's a couple things going on here, but to go back to your original question:

Is there any way to use the new workflow input features to request for a 2fa code ?

Which "workflow input features" are you referring to specifically? My information may be dated, but as far as I'm aware the only way to supply a GitHub action with inputs is via named input fields. Through what means do you want to be prompted for and supply a 2fa code?

@seivan
Copy link
Author

seivan commented Mar 30, 2021

@allisaurus That's up to you.

There are several options, though some require Github Enterprise

You could start with https://github.com/peter-evans/slash-command-dispatch and eventually integrate it with Slack or Discord to get prompted to input a token.

I apologize, I think you mentioned something earlier and I must have missed it!

It that case we could potentially provide SerialNumber and TokenCode input fields to this action. Would that help, or are you trying to do something different?

This could actually be useful, if you could use the AWS CLI with just TokenCode then that would be a good start, no?

@allisaurus
Copy link
Contributor

You could start with https://github.com/peter-evans/slash-command-dispatch and eventually integrate it with Slack or Discord to get prompted to input a token.

So directly integrating with or taking a dependency on a third party (non-Amazon) action is something I don't foresee us being able to do, but we can take a look at what other options native to GitHub actions we might be able to leverage or recommend to users. To @dtlaycock 's point, I think we do lack explicit guidance on how workflow authors might further lock down this action (or others), and that's a more general gap we should try to address.

Switching the label on this to a feature request as adding support for SerialNumber and TokenCode inputs is something we could feasibly do to help folks leverage MFA with this action. Thanks v much for the discussion here! I think we're closer to being able to offer folks more options w/r/t authenticating calls to AWS.

@allisaurus allisaurus added feature-request A feature should be added or improved. and removed investigating labels Apr 8, 2021
@seivan
Copy link
Author

seivan commented Apr 8, 2021

@allisaurus I am not asking AWS to use a third party action.

That was just an example on how to provide the generated token.

Correct me if I am wrong, but as of now there is no way to supply a generated token to AWS without modifying env variables?
More importantly there is no way to use generated tokens?

Am I wrong? This is a security issue more than anything, because expecting to give CRUD access to a CI with tokens that can be used if exposed is somewhat dangerous.
Doesn't matter if it's to assume role of something higher privileged or not.

I don't mind exposing burnable one time for a specific moment in time, but having them set permanently for production environment is a bit much.

Switching the label on this to a feature request as adding support for SerialNumber and TokenCode inputs is something we could feasibly do to help folks leverage MFA with this action. Thanks v much for the discussion here! I think we're closer to being able to offer folks more options w/r/t authenticating calls to AWS.

Yes, this is what I am asking for.

The ability to supply them outside of hard coded env variables, the third party action (or slack/discord approach) where just examples. I hope that's clear!

@DavidVaness
Copy link

DavidVaness commented May 27, 2021

I just want to voice my support for this feature request and hope someone is able to get this working as our team is facing the same problem (and organizational requirements)

@dtuite
Copy link

dtuite commented Jul 14, 2021

I came across this requirement today also and I agree that adding support for SerialNumber and TokenCode inputs is probably the best approach.

@github-actions
Copy link

github-actions bot commented Oct 1, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 2 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 2 days unless further comments are made. labels Oct 1, 2022
@github-actions github-actions bot closed this as completed Oct 3, 2022
@peterwoodworth peterwoodworth reopened this Oct 4, 2022
@peterwoodworth peterwoodworth added p2 effort/medium This issue will take a few days of effort to fix and removed closed-for-staleness labels Oct 4, 2022
@varunsh-coder
Copy link

I just wanted to share this in case it helps. You can use https://github.com/step-security/wait-for-secrets GitHub Action to enter MFA tokens during a GitHub Actions workflow. Developers can enter secrets using a web browser and use them in the workflow.

@stojce
Copy link

stojce commented Feb 13, 2023

I am also interested in this implemented. My case is when calling GitHub action from third party app via workflow_dispatch.

@catz-lw
Copy link

catz-lw commented Oct 1, 2024

Could a maintainer please look at this 10-line PR to add MFA support? Thanks. #1124

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
effort/medium This issue will take a few days of effort to fix feature-request A feature should be added or improved. p2
Projects
None yet
Development

No branches or pull requests

10 participants