How to use MFA with AWS CLI?Work with AWS.CLI and aws.s3 when MFA enabled?Using MFA with EKS kubectl & aws-iam-authenticatorHow do I prompt for an MFA key to generate and use credentials for AWS CLI access?login issue with aws command line interface with MFA code/tokenHow to call a list of AWS Lambda permissions for a functionI'm stuck in AWS Lamba : Getting Started Guide--auth-dry-run in AWS cli missing?IAM policy to allow users to disable only their own MFA device with API/CLIRefer AWS Account number inside IAM policywhat permissions I need for aws ec2 waitAWS Cognito: Is there a method to switch MFA type DURING authentication?AWS Boto3 - User is not authorized to perform sts::AssumeRole on resource?AWS-Amplify MFA Error “User is not autheticated”
Idioms: Should it be " the internet is a seemingly infinite well of information" or "the internet is a seemingly infinite wealth of information"
Film where a boy turns into a princess
Company requiring me to let them review research from before I was hired
Is an easily guessed plot twist a good plot twist?
Who controls a summoned steed’s familiar?
Considerations when providing money to one child now, and the other later?
In a script how can I signal who's winning the argument?
Raw curve25519 public key points
What happens when two cards both modify what I'm allowed to do?
My current job follows "worst practices". How can I talk about my experience in an interview without giving off red flags?
Why did modems have speakers?
High income and difficulty during interviews
How can the artificial womb be made affordable for the common people?
Why are there not any MRI machines available in Interstellar?
Can a character with a low Intelligence score take the Ritual Caster feat and choose the Wizard class?
Inverse Colombian Function
Navigating the multiverse of bifurcated parallel realities
What Is the Meaning of "you has the wind of me"?
Why does the salt in the oceans not sink to the bottom?
How can I tell if there was a power cut when I was out?
dos2unix is unable to convert typescript file to unix format
What the purpose of the fuel shutoff valve?
Using "Kollege" as "university friend"?
Grid/table with lots of buttons
How to use MFA with AWS CLI?
Work with AWS.CLI and aws.s3 when MFA enabled?Using MFA with EKS kubectl & aws-iam-authenticatorHow do I prompt for an MFA key to generate and use credentials for AWS CLI access?login issue with aws command line interface with MFA code/tokenHow to call a list of AWS Lambda permissions for a functionI'm stuck in AWS Lamba : Getting Started Guide--auth-dry-run in AWS cli missing?IAM policy to allow users to disable only their own MFA device with API/CLIRefer AWS Account number inside IAM policywhat permissions I need for aws ec2 waitAWS Cognito: Is there a method to switch MFA type DURING authentication?AWS Boto3 - User is not authorized to perform sts::AssumeRole on resource?AWS-Amplify MFA Error “User is not autheticated”
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
How do I type in the MFA code when using the AWS CLI? I have checked the documentation page of IAM http://docs.aws.amazon.com/cli/latest/reference/iam/index.html.
I have the MFA-Devices already enabled under my username.
aws iam list-mfa-devices --user-name X
returns
"MFADevices": [
"UserName": "X",
"SerialNumber": "arn:aws:iam::+++:mfa/X",
"EnableDate": "2016-01-13T23:15:43Z"
]
amazon-web-services
edited Jan 31 '17 at 20:20
Joe Harris
8,2951 gold badge33 silver badges46 bronze badges
asked Jan 14 '16 at 17:20
Hello ladHello lad
4,74120 gold badges70 silver badges137 bronze badges
add a comment |
How do I type in the MFA code when using the AWS CLI? I have checked the documentation page of IAM http://docs.aws.amazon.com/cli/latest/reference/iam/index.html.
I have the MFA-Devices already enabled under my username.
aws iam list-mfa-devices --user-name X
returns
"MFADevices": [
"UserName": "X",
"SerialNumber": "arn:aws:iam::+++:mfa/X",
"EnableDate": "2016-01-13T23:15:43Z"
]
amazon-web-services
edited Jan 31 '17 at 20:20
Joe Harris
8,2951 gold badge33 silver badges46 bronze badges
asked Jan 14 '16 at 17:20
Hello ladHello lad
4,74120 gold badges70 silver badges137 bronze badges
add a comment |
How do I type in the MFA code when using the AWS CLI? I have checked the documentation page of IAM http://docs.aws.amazon.com/cli/latest/reference/iam/index.html.
I have the MFA-Devices already enabled under my username.
aws iam list-mfa-devices --user-name X
returns
"MFADevices": [
"UserName": "X",
"SerialNumber": "arn:aws:iam::+++:mfa/X",
"EnableDate": "2016-01-13T23:15:43Z"
]
amazon-web-services
edited Jan 31 '17 at 20:20
Joe Harris
8,2951 gold badge33 silver badges46 bronze badges
asked Jan 14 '16 at 17:20
Hello ladHello lad
4,74120 gold badges70 silver badges137 bronze badges
How do I type in the MFA code when using the AWS CLI? I have checked the documentation page of IAM http://docs.aws.amazon.com/cli/latest/reference/iam/index.html.
I have the MFA-Devices already enabled under my username.
aws iam list-mfa-devices --user-name X
returns
"MFADevices": [
"UserName": "X",
"SerialNumber": "arn:aws:iam::+++:mfa/X",
"EnableDate": "2016-01-13T23:15:43Z"
]
amazon-web-services
amazon-web-services
edited Jan 31 '17 at 20:20
Joe Harris
8,2951 gold badge33 silver badges46 bronze badges
asked Jan 14 '16 at 17:20
Hello ladHello lad
4,74120 gold badges70 silver badges137 bronze badges
edited Jan 31 '17 at 20:20
Joe Harris
8,2951 gold badge33 silver badges46 bronze badges
asked Jan 14 '16 at 17:20
Hello ladHello lad
4,74120 gold badges70 silver badges137 bronze badges
edited Jan 31 '17 at 20:20
Joe Harris
8,2951 gold badge33 silver badges46 bronze badges
edited Jan 31 '17 at 20:20
Joe Harris
8,2951 gold badge33 silver badges46 bronze badges
edited Jan 31 '17 at 20:20
Joe Harris
8,2951 gold badge33 silver badges46 bronze badges
8,2951 gold badge33 silver badges46 bronze badges
asked Jan 14 '16 at 17:20
Hello ladHello lad
4,74120 gold badges70 silver badges137 bronze badges
asked Jan 14 '16 at 17:20
Hello ladHello lad
4,74120 gold badges70 silver badges137 bronze badges
asked Jan 14 '16 at 17:20
Hello ladHello lad
4,74120 gold badges70 silver badges137 bronze badges
4,74120 gold badges70 silver badges137 bronze badges
add a comment |
add a comment |
10 Answers
10
active
oldest
votes
Call aws sts get-session-token --token-code <value> documented here. This will give you a temporary security token. Documentation on using the temporary security token can be found here.
answered Jan 14 '16 at 17:37
Mark BMark B
108k17 gold badges180 silver badges188 bronze badges
add a comment |
The CLI can manage a lot of this for you if you're using roles. Described here: http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
In my credentials file I have:
[my_iam_user]
aws_access_key_id = AKIABLAHBLAHBLAHBLAH
aws_secret_access_key = <blah>
region = us-east-1
[my_admin_role]
role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = my_iam_user
mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user
region = us-east-1
Note the mfa_serial entry. You can get this value from your user details in the AWS IAM console. This entry tells the CLI that MFA is required for that role.
When I call aws s3 ls --profile my_admin_role it says Enter MFA code:, after I paste in the code it returns the listing.
Note: I haven't found a way to get the CLI to ask for MFA when calling a user profile (--profile my_iam_user) only calling a role profile triggers the MFA request.
The MFA token is then carried forward and the user profile can be used as well:
aws sts get-caller-identity --profile my_iam_user
#
# "Account": "123456789123",
# "UserId": "AIDABLAHBLAHBLAHBLAH",
# "Arn": "arn:aws:iam::123456789123:user/my_iam_user"
#
aws sts get-caller-identity --profile my_admin_role
#
# "Account": "123456789123",
# "UserId": "AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890",
# "Arn": "arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890"
#
answered Jan 31 '17 at 18:36
Joe HarrisJoe Harris
8,2951 gold badge33 silver badges46 bronze badges
3
This technique blew my mind. It was so much simpler than dealing with temporary keys and tokens directly! I'm surprised this isn't mentioned more often.
– killthrush
Mar 21 '18 at 22:48
When I try to create a role for myself, there aren't any good options. How did you create the role?
– Ryan Shillington
Mar 15 at 18:45
add a comment |
I have published a PR for aws-cli, which will allow to use mfa_serial in the credentials, that will force you to enter the token before making request to AWS (and it will be cached while token is valid)
- Issue: https://github.com/aws/aws-cli/issues/3172
- botocore PR: https://github.com/boto/botocore/pull/1399
- aws-cli PR: https://github.com/aws/aws-cli/pull/3174
Feel free to vote, if you want to get it in.
answered Mar 3 '18 at 2:04
outcoldmanoutcoldman
9,0762 gold badges17 silver badges29 bronze badges
add a comment |
AWS MFA use on the command line can be rather unpleasant and cumbersome, especially if you have multiple profiles and roles.
I have released awscli-mfa.sh script that makes MFA/role session management on the command line a lot easier. A companion script enable-disable-vmfa-device.sh similarly makes it easy to enable or disable a virtual MFA device on an IAM user account.
awscli-mfa.sh persists a started session in ~/.aws/credentials (with some info in ~/.aws/config), or allows you to start an in-env session only so that its details don't get persisted. When executed in Windows Subsystem for Linux, the script also provides session activation strings for PowerShell and Windows command line. However, the script itself only runs in bash (written for macOS, Linux, and WSL bash with Ubuntu).
You can find the scripts and the example MFA policies in my GitHub repo at https://github.com/vwal/awscli-mfa
answered Jan 28 at 2:02
VilleVille
2,8091 gold badge27 silver badges34 bronze badges
I wish there was something like this for Windows.
– Ryan Shillington
Mar 15 at 19:02
@RyanShillington If you install Windows Subsystem for Linux (WSL), the script runs well in it. In fact, when you run it in WSL, it also provides the MFA and role session activation strings for Windows CMD and PowerShell.
– Ville
Mar 15 at 21:18
add a comment |
On Windows
I'm on windows and I created a batch file to pass in my MFA code and have it automatically set up my credentials. First, you need to set up your production credentials in AWS:
aws configure --profile prod
Answer the questions appropriately with your key and secret. Then, I run my script like this:
C:> mfa-getCreds.bat 229168
Your credentials are set up, and will expire on 2019-05-12T04:04:13Z
Now you should be able to run aws commands like this: aws s3 ls
Here are the contents of my mfa-getCreds.bat:
@echo off
set TOKEN=%1
if not defined TOKEN goto showUsage
@call aws sts get-session-token --profile prod --serial-number "arn:aws:iam::109627855994:mfa/ryan.shillington" --token-code %* > c:tempmfa-getCreds.json
FOR /F "tokens=* USEBACKQ" %%g IN (`jq -r ".Credentials.AccessKeyId" c:tempmfa-getCreds.json`) do (SET AWS_ACCESS_KEY=%%g)
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SecretAccessKey" c:tempmfa-getCreds.json') do (SET "AWS_SECRET_KEY=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SessionToken" c:tempmfa-getCreds.json') do (SET "AWS_SESSION_TOKEN=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.Expiration" c:tempmfa-getCreds.json') do (SET "EXPIRATION=%%g")
set AWS_ACCESS_KEY_ID=%AWS_ACCESS_KEY%
set "AWS_SECRET_ACCESS_KEY=%AWS_SECRET_KEY%"
echo.
echo Your credentials are set up, but will expire on %EXPIRATION%
echo.
echo Now you should be able to run aws commands like this: aws s3 ls
goto :EOF
:showUsage
echo Usage: %0 [MFA Token]
goto :EOF
For this to run, you'll need the excellent jq package in your path.
answered May 11 at 16:08
Ryan ShillingtonRyan Shillington
7,0123 gold badges43 silver badges52 bronze badges
1
Thanks mate.. saved me creating it :)
– Paul Dunlop
Jul 15 at 10:20
add a comment |
I wrote a small bash script to get over this annoying problem.
You can find it here: https://gist.github.com/geekgunda/db4c9c8d850c08a48d1d60f119628032
Assumptions:
- Your original AWS Creds should be stored at ~/.aws/credentials
- You've corrected ARN for MFA device (search for FIXME)
- You've given correct MFA Code as cli argument
- You have jq installed. Ref: https://stedolan.github.io/jq/
answered Aug 10 '18 at 3:43
geekgundageekgunda
416 bronze badges
add a comment |
My use-case is I have a root account where all IAM users are created and assigned to IAM groups which in turn have the capability to assume roles on a different account with varying degree of access depending on the group they are on. I have a few house rules in place;
- No one is allowed to do anything on the root account except to manage their own IAM Users account.
- Required password reset.
- Required MFA.
- You cannot switch accounts without logging in with MFA.
This has been set up using AWS Shared Organizations.
Previously, I've been using a python script I wrote to let my users to login via cli with MFA and switch accounts. This is done by manipulating the ~/.aws/credentials.
I've since migrated to using this project https://gitlab.com/severity1/aws-auth, which is written in Go and allows me to do the same without much setup and it works on windows, macosx and linux.
This effectively gives all my users the ability to do local testing while developing Apps for AWS without having to hardcode AWS Credentials into their code.
answered Aug 27 '18 at 22:44
unexpectedGuestunexpectedGuest
1
add a comment |
We documented a few considerations for AWS API multifactor in general (where to add the conditions, what are the implications etc.) in the documentation for some custom tooling (https://github.com/kreuzwerker/awsu) we developed for using Yubikeys as source for the TOTP tokens. This makes working with roles and long-term credentials + session tokens pretty easy.
answered Sep 17 '18 at 8:41
yawnyawn
6,6226 gold badges23 silver badges33 bronze badges
add a comment |
I have forked Chinmay's gist and updated it to pull the device serial from aws instead of hardcoding it. I have also updated the exits to return a status of 1 instead of just exiting.
Available here:
https://gist.github.com/jpribyl/e44021ae5cbf7fd1b4549598e85b5341
I am using it in deploy scripts like this (I renamed the script to awsMfaCli.sh):
. awsMfaCli.sh
script_status=$?
if [[ $script_status -ne 1 ]]; then
echo "Building production"
if npm run build ; then
echo "Build Successful"
else
echo "Error building, exiting.."
return 1
fi
echo "Removing all files on bucket.."
aws s3 rm --recursive s3://mybucket
echo "Uploading site.."
aws s3 sync build/ s3://mybucket
echo "S3 Upload complete.."
echo "Deployment complete."
else
return 1
fi
edited Nov 6 '18 at 17:08
ayaio
60.5k20 gold badges136 silver badges198 bronze badges
answered Nov 6 '18 at 17:00
kibblekibble
1
add a comment |
aws-mfa acts as a wrapper around sts and works really well: https://github.com/broamski/aws-mfa
answered Dec 4 '18 at 19:03
Ryan TuckRyan Tuck
2,3543 gold badges32 silver badges49 bronze badges
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f34795780%2fhow-to-use-mfa-with-aws-cli%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
10 Answers
10
active
oldest
votes
10 Answers
10
active
oldest
votes
active
oldest
votes
active
oldest
votes
Call aws sts get-session-token --token-code <value> documented here. This will give you a temporary security token. Documentation on using the temporary security token can be found here.
answered Jan 14 '16 at 17:37
Mark BMark B
108k17 gold badges180 silver badges188 bronze badges
add a comment |
Call aws sts get-session-token --token-code <value> documented here. This will give you a temporary security token. Documentation on using the temporary security token can be found here.
answered Jan 14 '16 at 17:37
Mark BMark B
108k17 gold badges180 silver badges188 bronze badges
add a comment |
Call aws sts get-session-token --token-code <value> documented here. This will give you a temporary security token. Documentation on using the temporary security token can be found here.
answered Jan 14 '16 at 17:37
Mark BMark B
108k17 gold badges180 silver badges188 bronze badges
Call aws sts get-session-token --token-code <value> documented here. This will give you a temporary security token. Documentation on using the temporary security token can be found here.
answered Jan 14 '16 at 17:37
Mark BMark B
108k17 gold badges180 silver badges188 bronze badges
answered Jan 14 '16 at 17:37
Mark BMark B
108k17 gold badges180 silver badges188 bronze badges
answered Jan 14 '16 at 17:37
Mark BMark B
108k17 gold badges180 silver badges188 bronze badges
answered Jan 14 '16 at 17:37
Mark BMark B
108k17 gold badges180 silver badges188 bronze badges
108k17 gold badges180 silver badges188 bronze badges
add a comment |
add a comment |
The CLI can manage a lot of this for you if you're using roles. Described here: http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
In my credentials file I have:
[my_iam_user]
aws_access_key_id = AKIABLAHBLAHBLAHBLAH
aws_secret_access_key = <blah>
region = us-east-1
[my_admin_role]
role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = my_iam_user
mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user
region = us-east-1
Note the mfa_serial entry. You can get this value from your user details in the AWS IAM console. This entry tells the CLI that MFA is required for that role.
When I call aws s3 ls --profile my_admin_role it says Enter MFA code:, after I paste in the code it returns the listing.
Note: I haven't found a way to get the CLI to ask for MFA when calling a user profile (--profile my_iam_user) only calling a role profile triggers the MFA request.
The MFA token is then carried forward and the user profile can be used as well:
aws sts get-caller-identity --profile my_iam_user
#
# "Account": "123456789123",
# "UserId": "AIDABLAHBLAHBLAHBLAH",
# "Arn": "arn:aws:iam::123456789123:user/my_iam_user"
#
aws sts get-caller-identity --profile my_admin_role
#
# "Account": "123456789123",
# "UserId": "AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890",
# "Arn": "arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890"
#
answered Jan 31 '17 at 18:36
Joe HarrisJoe Harris
8,2951 gold badge33 silver badges46 bronze badges
3
This technique blew my mind. It was so much simpler than dealing with temporary keys and tokens directly! I'm surprised this isn't mentioned more often.
– killthrush
Mar 21 '18 at 22:48
When I try to create a role for myself, there aren't any good options. How did you create the role?
– Ryan Shillington
Mar 15 at 18:45
add a comment |
The CLI can manage a lot of this for you if you're using roles. Described here: http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
In my credentials file I have:
[my_iam_user]
aws_access_key_id = AKIABLAHBLAHBLAHBLAH
aws_secret_access_key = <blah>
region = us-east-1
[my_admin_role]
role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = my_iam_user
mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user
region = us-east-1
Note the mfa_serial entry. You can get this value from your user details in the AWS IAM console. This entry tells the CLI that MFA is required for that role.
When I call aws s3 ls --profile my_admin_role it says Enter MFA code:, after I paste in the code it returns the listing.
Note: I haven't found a way to get the CLI to ask for MFA when calling a user profile (--profile my_iam_user) only calling a role profile triggers the MFA request.
The MFA token is then carried forward and the user profile can be used as well:
aws sts get-caller-identity --profile my_iam_user
#
# "Account": "123456789123",
# "UserId": "AIDABLAHBLAHBLAHBLAH",
# "Arn": "arn:aws:iam::123456789123:user/my_iam_user"
#
aws sts get-caller-identity --profile my_admin_role
#
# "Account": "123456789123",
# "UserId": "AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890",
# "Arn": "arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890"
#
answered Jan 31 '17 at 18:36
Joe HarrisJoe Harris
8,2951 gold badge33 silver badges46 bronze badges
3
This technique blew my mind. It was so much simpler than dealing with temporary keys and tokens directly! I'm surprised this isn't mentioned more often.
– killthrush
Mar 21 '18 at 22:48
When I try to create a role for myself, there aren't any good options. How did you create the role?
– Ryan Shillington
Mar 15 at 18:45
add a comment |
The CLI can manage a lot of this for you if you're using roles. Described here: http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
In my credentials file I have:
[my_iam_user]
aws_access_key_id = AKIABLAHBLAHBLAHBLAH
aws_secret_access_key = <blah>
region = us-east-1
[my_admin_role]
role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = my_iam_user
mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user
region = us-east-1
Note the mfa_serial entry. You can get this value from your user details in the AWS IAM console. This entry tells the CLI that MFA is required for that role.
When I call aws s3 ls --profile my_admin_role it says Enter MFA code:, after I paste in the code it returns the listing.
Note: I haven't found a way to get the CLI to ask for MFA when calling a user profile (--profile my_iam_user) only calling a role profile triggers the MFA request.
The MFA token is then carried forward and the user profile can be used as well:
aws sts get-caller-identity --profile my_iam_user
#
# "Account": "123456789123",
# "UserId": "AIDABLAHBLAHBLAHBLAH",
# "Arn": "arn:aws:iam::123456789123:user/my_iam_user"
#
aws sts get-caller-identity --profile my_admin_role
#
# "Account": "123456789123",
# "UserId": "AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890",
# "Arn": "arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890"
#
answered Jan 31 '17 at 18:36
Joe HarrisJoe Harris
8,2951 gold badge33 silver badges46 bronze badges
The CLI can manage a lot of this for you if you're using roles. Described here: http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
In my credentials file I have:
[my_iam_user]
aws_access_key_id = AKIABLAHBLAHBLAHBLAH
aws_secret_access_key = <blah>
region = us-east-1
[my_admin_role]
role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = my_iam_user
mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user
region = us-east-1
Note the mfa_serial entry. You can get this value from your user details in the AWS IAM console. This entry tells the CLI that MFA is required for that role.
When I call aws s3 ls --profile my_admin_role it says Enter MFA code:, after I paste in the code it returns the listing.
Note: I haven't found a way to get the CLI to ask for MFA when calling a user profile (--profile my_iam_user) only calling a role profile triggers the MFA request.
The MFA token is then carried forward and the user profile can be used as well:
aws sts get-caller-identity --profile my_iam_user
#
# "Account": "123456789123",
# "UserId": "AIDABLAHBLAHBLAHBLAH",
# "Arn": "arn:aws:iam::123456789123:user/my_iam_user"
#
aws sts get-caller-identity --profile my_admin_role
#
# "Account": "123456789123",
# "UserId": "AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890",
# "Arn": "arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890"
#
answered Jan 31 '17 at 18:36
Joe HarrisJoe Harris
8,2951 gold badge33 silver badges46 bronze badges
answered Jan 31 '17 at 18:36
Joe HarrisJoe Harris
8,2951 gold badge33 silver badges46 bronze badges
answered Jan 31 '17 at 18:36
Joe HarrisJoe Harris
8,2951 gold badge33 silver badges46 bronze badges
answered Jan 31 '17 at 18:36
Joe HarrisJoe Harris
8,2951 gold badge33 silver badges46 bronze badges
8,2951 gold badge33 silver badges46 bronze badges
3
This technique blew my mind. It was so much simpler than dealing with temporary keys and tokens directly! I'm surprised this isn't mentioned more often.
– killthrush
Mar 21 '18 at 22:48
When I try to create a role for myself, there aren't any good options. How did you create the role?
– Ryan Shillington
Mar 15 at 18:45
add a comment |
3
This technique blew my mind. It was so much simpler than dealing with temporary keys and tokens directly! I'm surprised this isn't mentioned more often.
– killthrush
Mar 21 '18 at 22:48
When I try to create a role for myself, there aren't any good options. How did you create the role?
– Ryan Shillington
Mar 15 at 18:45
3
3
This technique blew my mind. It was so much simpler than dealing with temporary keys and tokens directly! I'm surprised this isn't mentioned more often.
– killthrush
Mar 21 '18 at 22:48
This technique blew my mind. It was so much simpler than dealing with temporary keys and tokens directly! I'm surprised this isn't mentioned more often.
– killthrush
Mar 21 '18 at 22:48
When I try to create a role for myself, there aren't any good options. How did you create the role?
– Ryan Shillington
Mar 15 at 18:45
When I try to create a role for myself, there aren't any good options. How did you create the role?
– Ryan Shillington
Mar 15 at 18:45
add a comment |
I have published a PR for aws-cli, which will allow to use mfa_serial in the credentials, that will force you to enter the token before making request to AWS (and it will be cached while token is valid)
- Issue: https://github.com/aws/aws-cli/issues/3172
- botocore PR: https://github.com/boto/botocore/pull/1399
- aws-cli PR: https://github.com/aws/aws-cli/pull/3174
Feel free to vote, if you want to get it in.
answered Mar 3 '18 at 2:04
outcoldmanoutcoldman
9,0762 gold badges17 silver badges29 bronze badges
add a comment |
I have published a PR for aws-cli, which will allow to use mfa_serial in the credentials, that will force you to enter the token before making request to AWS (and it will be cached while token is valid)
- Issue: https://github.com/aws/aws-cli/issues/3172
- botocore PR: https://github.com/boto/botocore/pull/1399
- aws-cli PR: https://github.com/aws/aws-cli/pull/3174
Feel free to vote, if you want to get it in.
answered Mar 3 '18 at 2:04
outcoldmanoutcoldman
9,0762 gold badges17 silver badges29 bronze badges
add a comment |
I have published a PR for aws-cli, which will allow to use mfa_serial in the credentials, that will force you to enter the token before making request to AWS (and it will be cached while token is valid)
- Issue: https://github.com/aws/aws-cli/issues/3172
- botocore PR: https://github.com/boto/botocore/pull/1399
- aws-cli PR: https://github.com/aws/aws-cli/pull/3174
Feel free to vote, if you want to get it in.
answered Mar 3 '18 at 2:04
outcoldmanoutcoldman
9,0762 gold badges17 silver badges29 bronze badges
I have published a PR for aws-cli, which will allow to use mfa_serial in the credentials, that will force you to enter the token before making request to AWS (and it will be cached while token is valid)
- Issue: https://github.com/aws/aws-cli/issues/3172
- botocore PR: https://github.com/boto/botocore/pull/1399
- aws-cli PR: https://github.com/aws/aws-cli/pull/3174
Feel free to vote, if you want to get it in.
answered Mar 3 '18 at 2:04
outcoldmanoutcoldman
9,0762 gold badges17 silver badges29 bronze badges
answered Mar 3 '18 at 2:04
outcoldmanoutcoldman
9,0762 gold badges17 silver badges29 bronze badges
answered Mar 3 '18 at 2:04
outcoldmanoutcoldman
9,0762 gold badges17 silver badges29 bronze badges
answered Mar 3 '18 at 2:04
outcoldmanoutcoldman
9,0762 gold badges17 silver badges29 bronze badges
9,0762 gold badges17 silver badges29 bronze badges
add a comment |
add a comment |
AWS MFA use on the command line can be rather unpleasant and cumbersome, especially if you have multiple profiles and roles.
I have released awscli-mfa.sh script that makes MFA/role session management on the command line a lot easier. A companion script enable-disable-vmfa-device.sh similarly makes it easy to enable or disable a virtual MFA device on an IAM user account.
awscli-mfa.sh persists a started session in ~/.aws/credentials (with some info in ~/.aws/config), or allows you to start an in-env session only so that its details don't get persisted. When executed in Windows Subsystem for Linux, the script also provides session activation strings for PowerShell and Windows command line. However, the script itself only runs in bash (written for macOS, Linux, and WSL bash with Ubuntu).
You can find the scripts and the example MFA policies in my GitHub repo at https://github.com/vwal/awscli-mfa
answered Jan 28 at 2:02
VilleVille
2,8091 gold badge27 silver badges34 bronze badges
I wish there was something like this for Windows.
– Ryan Shillington
Mar 15 at 19:02
@RyanShillington If you install Windows Subsystem for Linux (WSL), the script runs well in it. In fact, when you run it in WSL, it also provides the MFA and role session activation strings for Windows CMD and PowerShell.
– Ville
Mar 15 at 21:18
add a comment |
AWS MFA use on the command line can be rather unpleasant and cumbersome, especially if you have multiple profiles and roles.
I have released awscli-mfa.sh script that makes MFA/role session management on the command line a lot easier. A companion script enable-disable-vmfa-device.sh similarly makes it easy to enable or disable a virtual MFA device on an IAM user account.
awscli-mfa.sh persists a started session in ~/.aws/credentials (with some info in ~/.aws/config), or allows you to start an in-env session only so that its details don't get persisted. When executed in Windows Subsystem for Linux, the script also provides session activation strings for PowerShell and Windows command line. However, the script itself only runs in bash (written for macOS, Linux, and WSL bash with Ubuntu).
You can find the scripts and the example MFA policies in my GitHub repo at https://github.com/vwal/awscli-mfa
answered Jan 28 at 2:02
VilleVille
2,8091 gold badge27 silver badges34 bronze badges
I wish there was something like this for Windows.
– Ryan Shillington
Mar 15 at 19:02
@RyanShillington If you install Windows Subsystem for Linux (WSL), the script runs well in it. In fact, when you run it in WSL, it also provides the MFA and role session activation strings for Windows CMD and PowerShell.
– Ville
Mar 15 at 21:18
add a comment |
AWS MFA use on the command line can be rather unpleasant and cumbersome, especially if you have multiple profiles and roles.
I have released awscli-mfa.sh script that makes MFA/role session management on the command line a lot easier. A companion script enable-disable-vmfa-device.sh similarly makes it easy to enable or disable a virtual MFA device on an IAM user account.
awscli-mfa.sh persists a started session in ~/.aws/credentials (with some info in ~/.aws/config), or allows you to start an in-env session only so that its details don't get persisted. When executed in Windows Subsystem for Linux, the script also provides session activation strings for PowerShell and Windows command line. However, the script itself only runs in bash (written for macOS, Linux, and WSL bash with Ubuntu).
You can find the scripts and the example MFA policies in my GitHub repo at https://github.com/vwal/awscli-mfa
answered Jan 28 at 2:02
VilleVille
2,8091 gold badge27 silver badges34 bronze badges
AWS MFA use on the command line can be rather unpleasant and cumbersome, especially if you have multiple profiles and roles.
I have released awscli-mfa.sh script that makes MFA/role session management on the command line a lot easier. A companion script enable-disable-vmfa-device.sh similarly makes it easy to enable or disable a virtual MFA device on an IAM user account.
awscli-mfa.sh persists a started session in ~/.aws/credentials (with some info in ~/.aws/config), or allows you to start an in-env session only so that its details don't get persisted. When executed in Windows Subsystem for Linux, the script also provides session activation strings for PowerShell and Windows command line. However, the script itself only runs in bash (written for macOS, Linux, and WSL bash with Ubuntu).
You can find the scripts and the example MFA policies in my GitHub repo at https://github.com/vwal/awscli-mfa
answered Jan 28 at 2:02
VilleVille
2,8091 gold badge27 silver badges34 bronze badges
answered Jan 28 at 2:02
VilleVille
2,8091 gold badge27 silver badges34 bronze badges
answered Jan 28 at 2:02
VilleVille
2,8091 gold badge27 silver badges34 bronze badges
answered Jan 28 at 2:02
VilleVille
2,8091 gold badge27 silver badges34 bronze badges
2,8091 gold badge27 silver badges34 bronze badges
I wish there was something like this for Windows.
– Ryan Shillington
Mar 15 at 19:02
@RyanShillington If you install Windows Subsystem for Linux (WSL), the script runs well in it. In fact, when you run it in WSL, it also provides the MFA and role session activation strings for Windows CMD and PowerShell.
– Ville
Mar 15 at 21:18
add a comment |
I wish there was something like this for Windows.
– Ryan Shillington
Mar 15 at 19:02
@RyanShillington If you install Windows Subsystem for Linux (WSL), the script runs well in it. In fact, when you run it in WSL, it also provides the MFA and role session activation strings for Windows CMD and PowerShell.
– Ville
Mar 15 at 21:18
I wish there was something like this for Windows.
– Ryan Shillington
Mar 15 at 19:02
I wish there was something like this for Windows.
– Ryan Shillington
Mar 15 at 19:02
@RyanShillington If you install Windows Subsystem for Linux (WSL), the script runs well in it. In fact, when you run it in WSL, it also provides the MFA and role session activation strings for Windows CMD and PowerShell.
– Ville
Mar 15 at 21:18
@RyanShillington If you install Windows Subsystem for Linux (WSL), the script runs well in it. In fact, when you run it in WSL, it also provides the MFA and role session activation strings for Windows CMD and PowerShell.
– Ville
Mar 15 at 21:18
add a comment |
On Windows
I'm on windows and I created a batch file to pass in my MFA code and have it automatically set up my credentials. First, you need to set up your production credentials in AWS:
aws configure --profile prod
Answer the questions appropriately with your key and secret. Then, I run my script like this:
C:> mfa-getCreds.bat 229168
Your credentials are set up, and will expire on 2019-05-12T04:04:13Z
Now you should be able to run aws commands like this: aws s3 ls
Here are the contents of my mfa-getCreds.bat:
@echo off
set TOKEN=%1
if not defined TOKEN goto showUsage
@call aws sts get-session-token --profile prod --serial-number "arn:aws:iam::109627855994:mfa/ryan.shillington" --token-code %* > c:tempmfa-getCreds.json
FOR /F "tokens=* USEBACKQ" %%g IN (`jq -r ".Credentials.AccessKeyId" c:tempmfa-getCreds.json`) do (SET AWS_ACCESS_KEY=%%g)
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SecretAccessKey" c:tempmfa-getCreds.json') do (SET "AWS_SECRET_KEY=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SessionToken" c:tempmfa-getCreds.json') do (SET "AWS_SESSION_TOKEN=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.Expiration" c:tempmfa-getCreds.json') do (SET "EXPIRATION=%%g")
set AWS_ACCESS_KEY_ID=%AWS_ACCESS_KEY%
set "AWS_SECRET_ACCESS_KEY=%AWS_SECRET_KEY%"
echo.
echo Your credentials are set up, but will expire on %EXPIRATION%
echo.
echo Now you should be able to run aws commands like this: aws s3 ls
goto :EOF
:showUsage
echo Usage: %0 [MFA Token]
goto :EOF
For this to run, you'll need the excellent jq package in your path.
answered May 11 at 16:08
Ryan ShillingtonRyan Shillington
7,0123 gold badges43 silver badges52 bronze badges
1
Thanks mate.. saved me creating it :)
– Paul Dunlop
Jul 15 at 10:20
add a comment |
On Windows
I'm on windows and I created a batch file to pass in my MFA code and have it automatically set up my credentials. First, you need to set up your production credentials in AWS:
aws configure --profile prod
Answer the questions appropriately with your key and secret. Then, I run my script like this:
C:> mfa-getCreds.bat 229168
Your credentials are set up, and will expire on 2019-05-12T04:04:13Z
Now you should be able to run aws commands like this: aws s3 ls
Here are the contents of my mfa-getCreds.bat:
@echo off
set TOKEN=%1
if not defined TOKEN goto showUsage
@call aws sts get-session-token --profile prod --serial-number "arn:aws:iam::109627855994:mfa/ryan.shillington" --token-code %* > c:tempmfa-getCreds.json
FOR /F "tokens=* USEBACKQ" %%g IN (`jq -r ".Credentials.AccessKeyId" c:tempmfa-getCreds.json`) do (SET AWS_ACCESS_KEY=%%g)
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SecretAccessKey" c:tempmfa-getCreds.json') do (SET "AWS_SECRET_KEY=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SessionToken" c:tempmfa-getCreds.json') do (SET "AWS_SESSION_TOKEN=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.Expiration" c:tempmfa-getCreds.json') do (SET "EXPIRATION=%%g")
set AWS_ACCESS_KEY_ID=%AWS_ACCESS_KEY%
set "AWS_SECRET_ACCESS_KEY=%AWS_SECRET_KEY%"
echo.
echo Your credentials are set up, but will expire on %EXPIRATION%
echo.
echo Now you should be able to run aws commands like this: aws s3 ls
goto :EOF
:showUsage
echo Usage: %0 [MFA Token]
goto :EOF
For this to run, you'll need the excellent jq package in your path.
answered May 11 at 16:08
Ryan ShillingtonRyan Shillington
7,0123 gold badges43 silver badges52 bronze badges
1
Thanks mate.. saved me creating it :)
– Paul Dunlop
Jul 15 at 10:20
add a comment |
On Windows
I'm on windows and I created a batch file to pass in my MFA code and have it automatically set up my credentials. First, you need to set up your production credentials in AWS:
aws configure --profile prod
Answer the questions appropriately with your key and secret. Then, I run my script like this:
C:> mfa-getCreds.bat 229168
Your credentials are set up, and will expire on 2019-05-12T04:04:13Z
Now you should be able to run aws commands like this: aws s3 ls
Here are the contents of my mfa-getCreds.bat:
@echo off
set TOKEN=%1
if not defined TOKEN goto showUsage
@call aws sts get-session-token --profile prod --serial-number "arn:aws:iam::109627855994:mfa/ryan.shillington" --token-code %* > c:tempmfa-getCreds.json
FOR /F "tokens=* USEBACKQ" %%g IN (`jq -r ".Credentials.AccessKeyId" c:tempmfa-getCreds.json`) do (SET AWS_ACCESS_KEY=%%g)
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SecretAccessKey" c:tempmfa-getCreds.json') do (SET "AWS_SECRET_KEY=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SessionToken" c:tempmfa-getCreds.json') do (SET "AWS_SESSION_TOKEN=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.Expiration" c:tempmfa-getCreds.json') do (SET "EXPIRATION=%%g")
set AWS_ACCESS_KEY_ID=%AWS_ACCESS_KEY%
set "AWS_SECRET_ACCESS_KEY=%AWS_SECRET_KEY%"
echo.
echo Your credentials are set up, but will expire on %EXPIRATION%
echo.
echo Now you should be able to run aws commands like this: aws s3 ls
goto :EOF
:showUsage
echo Usage: %0 [MFA Token]
goto :EOF
For this to run, you'll need the excellent jq package in your path.
answered May 11 at 16:08
Ryan ShillingtonRyan Shillington
7,0123 gold badges43 silver badges52 bronze badges
On Windows
I'm on windows and I created a batch file to pass in my MFA code and have it automatically set up my credentials. First, you need to set up your production credentials in AWS:
aws configure --profile prod
Answer the questions appropriately with your key and secret. Then, I run my script like this:
C:> mfa-getCreds.bat 229168
Your credentials are set up, and will expire on 2019-05-12T04:04:13Z
Now you should be able to run aws commands like this: aws s3 ls
Here are the contents of my mfa-getCreds.bat:
@echo off
set TOKEN=%1
if not defined TOKEN goto showUsage
@call aws sts get-session-token --profile prod --serial-number "arn:aws:iam::109627855994:mfa/ryan.shillington" --token-code %* > c:tempmfa-getCreds.json
FOR /F "tokens=* USEBACKQ" %%g IN (`jq -r ".Credentials.AccessKeyId" c:tempmfa-getCreds.json`) do (SET AWS_ACCESS_KEY=%%g)
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SecretAccessKey" c:tempmfa-getCreds.json') do (SET "AWS_SECRET_KEY=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SessionToken" c:tempmfa-getCreds.json') do (SET "AWS_SESSION_TOKEN=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.Expiration" c:tempmfa-getCreds.json') do (SET "EXPIRATION=%%g")
set AWS_ACCESS_KEY_ID=%AWS_ACCESS_KEY%
set "AWS_SECRET_ACCESS_KEY=%AWS_SECRET_KEY%"
echo.
echo Your credentials are set up, but will expire on %EXPIRATION%
echo.
echo Now you should be able to run aws commands like this: aws s3 ls
goto :EOF
:showUsage
echo Usage: %0 [MFA Token]
goto :EOF
For this to run, you'll need the excellent jq package in your path.
answered May 11 at 16:08
Ryan ShillingtonRyan Shillington
7,0123 gold badges43 silver badges52 bronze badges
answered May 11 at 16:08
Ryan ShillingtonRyan Shillington
7,0123 gold badges43 silver badges52 bronze badges
answered May 11 at 16:08
Ryan ShillingtonRyan Shillington
7,0123 gold badges43 silver badges52 bronze badges
answered May 11 at 16:08
Ryan ShillingtonRyan Shillington
7,0123 gold badges43 silver badges52 bronze badges
7,0123 gold badges43 silver badges52 bronze badges
1
Thanks mate.. saved me creating it :)
– Paul Dunlop
Jul 15 at 10:20
add a comment |
1
Thanks mate.. saved me creating it :)
– Paul Dunlop
Jul 15 at 10:20
1
1
Thanks mate.. saved me creating it :)
– Paul Dunlop
Jul 15 at 10:20
Thanks mate.. saved me creating it :)
– Paul Dunlop
Jul 15 at 10:20
add a comment |
I wrote a small bash script to get over this annoying problem.
You can find it here: https://gist.github.com/geekgunda/db4c9c8d850c08a48d1d60f119628032
Assumptions:
- Your original AWS Creds should be stored at ~/.aws/credentials
- You've corrected ARN for MFA device (search for FIXME)
- You've given correct MFA Code as cli argument
- You have jq installed. Ref: https://stedolan.github.io/jq/
answered Aug 10 '18 at 3:43
geekgundageekgunda
416 bronze badges
add a comment |
I wrote a small bash script to get over this annoying problem.
You can find it here: https://gist.github.com/geekgunda/db4c9c8d850c08a48d1d60f119628032
Assumptions:
- Your original AWS Creds should be stored at ~/.aws/credentials
- You've corrected ARN for MFA device (search for FIXME)
- You've given correct MFA Code as cli argument
- You have jq installed. Ref: https://stedolan.github.io/jq/
answered Aug 10 '18 at 3:43
geekgundageekgunda
416 bronze badges
add a comment |
I wrote a small bash script to get over this annoying problem.
You can find it here: https://gist.github.com/geekgunda/db4c9c8d850c08a48d1d60f119628032
Assumptions:
- Your original AWS Creds should be stored at ~/.aws/credentials
- You've corrected ARN for MFA device (search for FIXME)
- You've given correct MFA Code as cli argument
- You have jq installed. Ref: https://stedolan.github.io/jq/
answered Aug 10 '18 at 3:43
geekgundageekgunda
416 bronze badges
I wrote a small bash script to get over this annoying problem.
You can find it here: https://gist.github.com/geekgunda/db4c9c8d850c08a48d1d60f119628032
Assumptions:
- Your original AWS Creds should be stored at ~/.aws/credentials
- You've corrected ARN for MFA device (search for FIXME)
- You've given correct MFA Code as cli argument
- You have jq installed. Ref: https://stedolan.github.io/jq/
answered Aug 10 '18 at 3:43
geekgundageekgunda
416 bronze badges
answered Aug 10 '18 at 3:43
geekgundageekgunda
416 bronze badges
answered Aug 10 '18 at 3:43
geekgundageekgunda
416 bronze badges
answered Aug 10 '18 at 3:43
geekgundageekgunda
416 bronze badges
416 bronze badges
add a comment |
add a comment |
My use-case is I have a root account where all IAM users are created and assigned to IAM groups which in turn have the capability to assume roles on a different account with varying degree of access depending on the group they are on. I have a few house rules in place;
- No one is allowed to do anything on the root account except to manage their own IAM Users account.
- Required password reset.
- Required MFA.
- You cannot switch accounts without logging in with MFA.
This has been set up using AWS Shared Organizations.
Previously, I've been using a python script I wrote to let my users to login via cli with MFA and switch accounts. This is done by manipulating the ~/.aws/credentials.
I've since migrated to using this project https://gitlab.com/severity1/aws-auth, which is written in Go and allows me to do the same without much setup and it works on windows, macosx and linux.
This effectively gives all my users the ability to do local testing while developing Apps for AWS without having to hardcode AWS Credentials into their code.
answered Aug 27 '18 at 22:44
unexpectedGuestunexpectedGuest
1
add a comment |
My use-case is I have a root account where all IAM users are created and assigned to IAM groups which in turn have the capability to assume roles on a different account with varying degree of access depending on the group they are on. I have a few house rules in place;
- No one is allowed to do anything on the root account except to manage their own IAM Users account.
- Required password reset.
- Required MFA.
- You cannot switch accounts without logging in with MFA.
This has been set up using AWS Shared Organizations.
Previously, I've been using a python script I wrote to let my users to login via cli with MFA and switch accounts. This is done by manipulating the ~/.aws/credentials.
I've since migrated to using this project https://gitlab.com/severity1/aws-auth, which is written in Go and allows me to do the same without much setup and it works on windows, macosx and linux.
This effectively gives all my users the ability to do local testing while developing Apps for AWS without having to hardcode AWS Credentials into their code.
answered Aug 27 '18 at 22:44
unexpectedGuestunexpectedGuest
1
add a comment |
My use-case is I have a root account where all IAM users are created and assigned to IAM groups which in turn have the capability to assume roles on a different account with varying degree of access depending on the group they are on. I have a few house rules in place;
- No one is allowed to do anything on the root account except to manage their own IAM Users account.
- Required password reset.
- Required MFA.
- You cannot switch accounts without logging in with MFA.
This has been set up using AWS Shared Organizations.
Previously, I've been using a python script I wrote to let my users to login via cli with MFA and switch accounts. This is done by manipulating the ~/.aws/credentials.
I've since migrated to using this project https://gitlab.com/severity1/aws-auth, which is written in Go and allows me to do the same without much setup and it works on windows, macosx and linux.
This effectively gives all my users the ability to do local testing while developing Apps for AWS without having to hardcode AWS Credentials into their code.
answered Aug 27 '18 at 22:44
unexpectedGuestunexpectedGuest
1
My use-case is I have a root account where all IAM users are created and assigned to IAM groups which in turn have the capability to assume roles on a different account with varying degree of access depending on the group they are on. I have a few house rules in place;
- No one is allowed to do anything on the root account except to manage their own IAM Users account.
- Required password reset.
- Required MFA.
- You cannot switch accounts without logging in with MFA.
This has been set up using AWS Shared Organizations.
Previously, I've been using a python script I wrote to let my users to login via cli with MFA and switch accounts. This is done by manipulating the ~/.aws/credentials.
I've since migrated to using this project https://gitlab.com/severity1/aws-auth, which is written in Go and allows me to do the same without much setup and it works on windows, macosx and linux.
This effectively gives all my users the ability to do local testing while developing Apps for AWS without having to hardcode AWS Credentials into their code.
answered Aug 27 '18 at 22:44
unexpectedGuestunexpectedGuest
1
answered Aug 27 '18 at 22:44
unexpectedGuestunexpectedGuest
1
answered Aug 27 '18 at 22:44
unexpectedGuestunexpectedGuest
1
answered Aug 27 '18 at 22:44
unexpectedGuestunexpectedGuest
1
1
add a comment |
add a comment |
We documented a few considerations for AWS API multifactor in general (where to add the conditions, what are the implications etc.) in the documentation for some custom tooling (https://github.com/kreuzwerker/awsu) we developed for using Yubikeys as source for the TOTP tokens. This makes working with roles and long-term credentials + session tokens pretty easy.
answered Sep 17 '18 at 8:41
yawnyawn
6,6226 gold badges23 silver badges33 bronze badges
add a comment |
We documented a few considerations for AWS API multifactor in general (where to add the conditions, what are the implications etc.) in the documentation for some custom tooling (https://github.com/kreuzwerker/awsu) we developed for using Yubikeys as source for the TOTP tokens. This makes working with roles and long-term credentials + session tokens pretty easy.
answered Sep 17 '18 at 8:41
yawnyawn
6,6226 gold badges23 silver badges33 bronze badges
add a comment |
We documented a few considerations for AWS API multifactor in general (where to add the conditions, what are the implications etc.) in the documentation for some custom tooling (https://github.com/kreuzwerker/awsu) we developed for using Yubikeys as source for the TOTP tokens. This makes working with roles and long-term credentials + session tokens pretty easy.
answered Sep 17 '18 at 8:41
yawnyawn
6,6226 gold badges23 silver badges33 bronze badges
We documented a few considerations for AWS API multifactor in general (where to add the conditions, what are the implications etc.) in the documentation for some custom tooling (https://github.com/kreuzwerker/awsu) we developed for using Yubikeys as source for the TOTP tokens. This makes working with roles and long-term credentials + session tokens pretty easy.
answered Sep 17 '18 at 8:41
yawnyawn
6,6226 gold badges23 silver badges33 bronze badges
answered Sep 17 '18 at 8:41
yawnyawn
6,6226 gold badges23 silver badges33 bronze badges
answered Sep 17 '18 at 8:41
yawnyawn
6,6226 gold badges23 silver badges33 bronze badges
answered Sep 17 '18 at 8:41
yawnyawn
6,6226 gold badges23 silver badges33 bronze badges
6,6226 gold badges23 silver badges33 bronze badges
add a comment |
add a comment |
I have forked Chinmay's gist and updated it to pull the device serial from aws instead of hardcoding it. I have also updated the exits to return a status of 1 instead of just exiting.
Available here:
https://gist.github.com/jpribyl/e44021ae5cbf7fd1b4549598e85b5341
I am using it in deploy scripts like this (I renamed the script to awsMfaCli.sh):
. awsMfaCli.sh
script_status=$?
if [[ $script_status -ne 1 ]]; then
echo "Building production"
if npm run build ; then
echo "Build Successful"
else
echo "Error building, exiting.."
return 1
fi
echo "Removing all files on bucket.."
aws s3 rm --recursive s3://mybucket
echo "Uploading site.."
aws s3 sync build/ s3://mybucket
echo "S3 Upload complete.."
echo "Deployment complete."
else
return 1
fi
edited Nov 6 '18 at 17:08
ayaio
60.5k20 gold badges136 silver badges198 bronze badges
answered Nov 6 '18 at 17:00
kibblekibble
1
add a comment |
I have forked Chinmay's gist and updated it to pull the device serial from aws instead of hardcoding it. I have also updated the exits to return a status of 1 instead of just exiting.
Available here:
https://gist.github.com/jpribyl/e44021ae5cbf7fd1b4549598e85b5341
I am using it in deploy scripts like this (I renamed the script to awsMfaCli.sh):
. awsMfaCli.sh
script_status=$?
if [[ $script_status -ne 1 ]]; then
echo "Building production"
if npm run build ; then
echo "Build Successful"
else
echo "Error building, exiting.."
return 1
fi
echo "Removing all files on bucket.."
aws s3 rm --recursive s3://mybucket
echo "Uploading site.."
aws s3 sync build/ s3://mybucket
echo "S3 Upload complete.."
echo "Deployment complete."
else
return 1
fi
edited Nov 6 '18 at 17:08
ayaio
60.5k20 gold badges136 silver badges198 bronze badges
answered Nov 6 '18 at 17:00
kibblekibble
1
add a comment |
I have forked Chinmay's gist and updated it to pull the device serial from aws instead of hardcoding it. I have also updated the exits to return a status of 1 instead of just exiting.
Available here:
https://gist.github.com/jpribyl/e44021ae5cbf7fd1b4549598e85b5341
I am using it in deploy scripts like this (I renamed the script to awsMfaCli.sh):
. awsMfaCli.sh
script_status=$?
if [[ $script_status -ne 1 ]]; then
echo "Building production"
if npm run build ; then
echo "Build Successful"
else
echo "Error building, exiting.."
return 1
fi
echo "Removing all files on bucket.."
aws s3 rm --recursive s3://mybucket
echo "Uploading site.."
aws s3 sync build/ s3://mybucket
echo "S3 Upload complete.."
echo "Deployment complete."
else
return 1
fi
edited Nov 6 '18 at 17:08
ayaio
60.5k20 gold badges136 silver badges198 bronze badges
answered Nov 6 '18 at 17:00
kibblekibble
1
I have forked Chinmay's gist and updated it to pull the device serial from aws instead of hardcoding it. I have also updated the exits to return a status of 1 instead of just exiting.
Available here:
https://gist.github.com/jpribyl/e44021ae5cbf7fd1b4549598e85b5341
I am using it in deploy scripts like this (I renamed the script to awsMfaCli.sh):
. awsMfaCli.sh
script_status=$?
if [[ $script_status -ne 1 ]]; then
echo "Building production"
if npm run build ; then
echo "Build Successful"
else
echo "Error building, exiting.."
return 1
fi
echo "Removing all files on bucket.."
aws s3 rm --recursive s3://mybucket
echo "Uploading site.."
aws s3 sync build/ s3://mybucket
echo "S3 Upload complete.."
echo "Deployment complete."
else
return 1
fi
edited Nov 6 '18 at 17:08
ayaio
60.5k20 gold badges136 silver badges198 bronze badges
answered Nov 6 '18 at 17:00
kibblekibble
1
edited Nov 6 '18 at 17:08
ayaio
60.5k20 gold badges136 silver badges198 bronze badges
edited Nov 6 '18 at 17:08
ayaio
60.5k20 gold badges136 silver badges198 bronze badges
edited Nov 6 '18 at 17:08
ayaio
60.5k20 gold badges136 silver badges198 bronze badges
60.5k20 gold badges136 silver badges198 bronze badges
answered Nov 6 '18 at 17:00
kibblekibble
1
answered Nov 6 '18 at 17:00
kibblekibble
1
answered Nov 6 '18 at 17:00
kibblekibble
1
1
add a comment |
add a comment |
aws-mfa acts as a wrapper around sts and works really well: https://github.com/broamski/aws-mfa
answered Dec 4 '18 at 19:03
Ryan TuckRyan Tuck
2,3543 gold badges32 silver badges49 bronze badges
add a comment |
aws-mfa acts as a wrapper around sts and works really well: https://github.com/broamski/aws-mfa
answered Dec 4 '18 at 19:03
Ryan TuckRyan Tuck
2,3543 gold badges32 silver badges49 bronze badges
add a comment |
aws-mfa acts as a wrapper around sts and works really well: https://github.com/broamski/aws-mfa
answered Dec 4 '18 at 19:03
Ryan TuckRyan Tuck
2,3543 gold badges32 silver badges49 bronze badges
aws-mfa acts as a wrapper around sts and works really well: https://github.com/broamski/aws-mfa
answered Dec 4 '18 at 19:03
Ryan TuckRyan Tuck
2,3543 gold badges32 silver badges49 bronze badges
answered Dec 4 '18 at 19:03
Ryan TuckRyan Tuck
2,3543 gold badges32 silver badges49 bronze badges
answered Dec 4 '18 at 19:03
Ryan TuckRyan Tuck
2,3543 gold badges32 silver badges49 bronze badges
answered Dec 4 '18 at 19:03
Ryan TuckRyan Tuck
2,3543 gold badges32 silver badges49 bronze badges
2,3543 gold badges32 silver badges49 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f34795780%2fhow-to-use-mfa-with-aws-cli%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
