Adds correct MFA prompt and enforces serial if available (#123)

pkg/cfaws/assumer_aws_iam.go

@@ -23,7 +23,14 @@ func (aia *AwsIamAssumer) AssumeTerminal(ctx context.Context, c *CFSharedConfig,
 		config.WithSharedConfigProfile(c.Name),
 		config.WithAssumeRoleCredentialOptions(func(aro *stscreds.AssumeRoleOptions) {
 			// set the token provider up
-			aro.TokenProvider = stscreds.StdinTokenProvider
+			aro.TokenProvider = MfaTokenProvider
+
+			// If the mfa_serial is defined on the root profile, we need to set it in this config so that the aws SDK knows to prompt for MFA token
+			if len(c.Parents) > 0 {
+				if c.Parents[0].AWSConfig.MFASerial != "" {
+					aro.SerialNumber = aws.String(c.Parents[0].AWSConfig.MFASerial)
+				}
+			}
 		}),
 	}
 

pkg/cfaws/assumer_aws_sso.go

@@ -102,7 +102,7 @@ func (c *CFSharedConfig) SSOLogin(ctx context.Context) (aws.Credentials, error)
 				aro.RoleSessionName = "Granted-" + c.Name
 				if c.AWSConfig.MFASerial != "" {
 					aro.SerialNumber = &c.AWSConfig.MFASerial
-					aro.TokenProvider = stscreds.StdinTokenProvider
+					aro.TokenProvider = MfaTokenProvider
 				}
 
 				// Default Duration set to 1 hour for the final assumed role

pkg/cfaws/creds.go

@@ -6,9 +6,11 @@ import (
 	"os"
 	"time"
 
+	"github.com/AlecAivazis/survey/v2"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	ssotypes "github.com/aws/aws-sdk-go-v2/service/sso/types"
 	"github.com/aws/aws-sdk-go-v2/service/sts/types"
+	"github.com/common-fate/granted/pkg/testable"
 )
 
 func TypeCredsToAwsCreds(c types.Credentials) aws.Credentials {
@@ -41,3 +43,11 @@ func GetCredentialsCreds(ctx context.Context, c *CFSharedConfig) (aws.Credential
 	return aws.Credentials{}, fmt.Errorf("creds invalid or expired")
 
 }
+
+func MfaTokenProvider() (string, error) {
+	in := survey.Input{Message: "MFA Token"}
+	var out string
+	withStdio := survey.WithStdio(os.Stdin, os.Stderr, os.Stderr)
+	err := testable.AskOne(&in, &out, withStdio)
+	return out, err
+}