We have 2-factor authentication set up in the AWS account. sls deploy command thus asks for the MFA code. How to run the deployment in non-interactive mode when MFA is enabled?
For ex:
lerna run
command does not support user input. Similarly, if this was to run in CI/CD, interactivity won't be possible. How is this handled. What's the best way to manage this in serverless framework with sls deploy command?
I'd argue that Multi-Factor Authentication inside of CI/CD Pipelines is generally not a good idea.
MFA is intended to be used to reduce the risk that credentials that are handled by regular people can be exploited when they're stolen. They are a workaround for the fact that humans tend to be less careful with their own hardware and credentials than IT organizations dedicating resources to secure an environment. It's a system designed in a way that it's not easy to automate for that reason. You explicitly want a human to interact with it.
CI/CD pipelines have different characteristics. They run in a dedicated environment and can be easier secured against outside access. You can also create temporary credentials from a trusted source and easily feed them into a pipeline (e.g. do an assume role and pass the credentials as environment variables). Another option would be to have an access key and a secret access key that get periodically rotated. More importantly the focus of a pipeline is on automation - we explicitly want to automate as much as possible, because human input is error prone.
In contrast to the regular workstations, the pipeline is supposed to get artifacts and code from trusted entities, whereas it's harder to ensure that on every developers machine. That's why credential exfiltration is a lower risk, even if you shouldn't rule it out completely - thus my suggestion of using temporary credentials.
tl;dr Don't use MFA in your pipeline, use a different strategy to secure your credentials such as a role assumed by the CodeBuild project.
