First attempt at MFA-aware automated login

2026-05-20 19:12:01 +08:00 · 2026-05-20 19:12:01 +08:00 · 4a0eaa1f9b
commit 4a0eaa1f9b
parent 1d6d87728a
1 changed files with 27 additions and 1 deletions
--- a/userland/aws.el
+++ b/userland/aws.el
@ -43,13 +43,39 @@
 (defvar aws-reauth-timer nil
  "The reauth timer, if created.")

+(defun aws--login (role)
+  "Internal login function --- handles the command as a process, and prompts for MFA."
+  (let* ((process-name (format "%s-%s" aws-cli-auth-provider (replace-regexp-in-string "[/:]" "-" role)))
+	 (buffer (get-buffer-create (format "*%s*" process-name)))
+	 (prompt-regexp (rx (or "Enter verification code")))
+	 (prompt-sent nil))
+    (with-current-buffer buffer
+      (erase-buffer))
+
+    (make-process
+     :name process-name
+     :buffer buffer
+     :command (list aws-cli-auth-provider "login" "--force" "--skip-prompt" "--role" role)
+     :filter
+     (lambda (proc output)
+       (with-current-buffer (process-buffer proc)
+	 (goto-char (point-max))
+	 (insert output)
+	 
+	 (unless prompt-sent
+	   (let ((buffer-contents (buffer-string)))
+	     (when (string-match-p prompt-regexp buffer-contents)
+	       (let ((token (read-passwd "MFA token: ")))
+		 (process-send-string proc (concat token "\n"))
+		 (setq prompt-sent t))))))))))
+
 (defun aws-sign-in ()
  "Sign in with AWS."
  (interactive)
  (let* ((role (completing-read "AWS Role: " aws-roles))
 	 (auth-fn (lambda ()
 		    (message (concat "Authenticating with " role " via " aws-cli-auth-provider))
-		    (shell-command (concat aws-cli-auth-provider " login --force --skip-prompt --role " role)))))
+		    (aws--login role))))
    (funcall auth-fn)
    (when aws-auto-reauth
      (setq aws-reauth-timer (run-at-time t (* 60 aws-auto-reauth) auth-fn)))))