this script automates the required update of temporary access credentials required when MFA is configured for aws cli authentication. it is meant to be run each time (cca once a day) the temporary tokens expired so it will renew them. it was tested on both linux and windows with python3. below is a short explanation on how to use.
let's assume you there is an aws profile named 'root' configured for access and you have enabled MFA for aws cli. Then you should add profile called root-mfa in both ~/.aws/config and ~/.aws/credentials as follows:
config
[profile root-mfa]
region = us-east-1
output = json
credentials
[root-mfa]
aws_access_key_id = a
aws_secret_access_key = a
aws_session_token = a
the credentials file root-mfa section will be updated by the script when it is run and supplied valid one-time access token.
place the script aws-mfa-login.py into ~/bin/ or other folder in path, set the current aws profile to root and run
AWS_PROFILE=root; aws-mfa-login.py root root-mfa ~/.aws/credentials arn:aws:iam::137602392568:mfa/aharon.haravon 647239
the parameters are respectively:
- start aws profile
- mfa aws profile
- credentials filename
- mfa device arn
- current mfa token token value
now you can use the root-mfa aws profile