AWS SDK writes mfa token challenge to STDOUT 

Hi, I am executing `eksctl` within the context of an assumed role. 

```sh
$ AWS_PROFILE=AdministratorAccessRole aws sts get-caller-identity \
  | sed -E 's/[0-9]/1/g' \
  | jq -re '.UserId="FUBAR"'
{
  "UserId": "FUBAR",
  "Account": "111111111111",
  "Arn": "arn:aws:sts::111111111111:assumed-role/AdministratorAccessRole/cli"
}
```

The role obviously requires an MFA challenge for any operation that is *not* a `sts get-caller-identity`. 
```sh
$ AWS_PROFILE=AdministratorAccessRole aws iam get-user --user-name christian \
  | jq -re 'true'
Enter MFA code for arn:aws:iam::123456789:mfa/Christian: 
true
~/Develop/github.com/christian-elsee/eks $ echo $?
0
```

When executing `eksctl` with a `AWS_PROFILE` that requires an MFA challenge, the challenge text is written to STDOUT. I am assuming its supposed to write to /dev/tty, but thats purely speculation. 
```sh
$ AWS_PROFILE=AdministratorAccessRole dist/bin/eksctl create cluster \
  -f dist/cluster.yaml \
  --dry-run \
| tee dist/plan.yaml
Assume Role MFA token code: 592187
accessConfig:
  authenticationMode: API_AND_CONFIG_MAP
...
```

Looking at the first two lines from `dist/plan.yaml`, we see the challenge text. 
```sh
<dist/plan.yaml sed -n 1,2p
Assume Role MFA token code: accessConfig:
  authenticationMode: API_AND_CONFIG_MAP
```

Not a big deal, but you know, annoying. I like to use the payload generated from a `create cluster --dry-run` as a [terraformish plan](https://developer.hashicorp.com/terraform/cli/commands/plan). Cheers

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AWS SDK writes mfa token challenge to STDOUT #7844

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

AWS SDK writes mfa token challenge to STDOUT #7844

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions