aharonh/README.md

## README.md

      
    Raw
  

              README.md
            
          
    this script automates the required update of temporary access credentials required when MFA is configured for aws cli authentication. it is meant to be run each time (cca once a day) the temporary tokens expired so it will renew them. it was tested on both linux and windows with python3. below is a short explanation on how to use.
let's assume you there is an aws profile named 'root' configured for access and you have enabled MFA for aws cli.
Then you should add profile called
root-mfa in both ~/.aws/config and ~/.aws/credentials as follows:
config
[profile root-mfa]
region = us-east-1
output = json
credentials
[root-mfa]
aws_access_key_id = a
aws_secret_access_key = a
aws_session_token = a
the credentials file root-mfa section will be updated by the script when it is run and supplied valid one-time access token.
place the script aws-mfa-login.py into ~/bin/ or other folder in path, set the current aws profile to root and run
AWS_PROFILE=root; aws-mfa-login.py root root-mfa ~/.aws/credentials arn:aws:iam::137602392568:mfa/aharon.haravon 647239
the parameters are respectively:

start aws profile
mfa aws profile
credentials filename
mfa device arn
current mfa token token value

now you can use the root-mfa aws profile

  
## aws-mfa-login.py
#!/usr/bin/python3
# sample command to run
# ~/bin/aws-mfa-login.py root root-mfa ~/.aws/credentials arn:aws:iam::234234234234:mfa/aharon.haravon 322323
from sys import argv
from subprocess import run, PIPE
from json import loads
from configparser import ConfigParser
if (len(argv)!=6):
  raise ValueError("five parameters shall be passed - start aws profile, mfa aws profile, credentials filename,"\
    "mfa serial and the current mfa token token value. you passed {current_len} args.".format(current_len=len(argv)-1))
start_aws_profile = argv[1]; mfa_aws_profile = argv[2]; creds_file = argv[3]; mfa_serial = argv[4]; mfa_token = argv[5];
aws_login_command = "aws --profile {aws_profile} sts get-session-token --serial-number {mfa_serial} "\
  "--token-code {token_code}".format(aws_profile=start_aws_profile,token_code=mfa_token,mfa_serial=mfa_serial)
aws_login_info = loads(run(aws_login_command.split(' '), stdout=PIPE).stdout)
credentials = ConfigParser()
credentials.read(creds_file)
credentials[mfa_aws_profile]["aws_access_key_id"]=aws_login_info["Credentials"]["AccessKeyId"]
credentials[mfa_aws_profile]["aws_secret_access_key"]=aws_login_info["Credentials"]["SecretAccessKey"]
credentials[mfa_aws_profile]["aws_session_token"]=aws_login_info["Credentials"]["SessionToken"]
with open(creds_file, 'w') as creds:
  credentials.write(creds)
	#!/usr/bin/python3
	# sample command to run
	# ~/bin/aws-mfa-login.py root root-mfa ~/.aws/credentials arn:aws:iam::234234234234:mfa/aharon.haravon 322323
	from sys import argv
	from subprocess import run, PIPE
	from json import loads
	from configparser import ConfigParser
	if (len(argv)!=6):
	raise ValueError("five parameters shall be passed - start aws profile, mfa aws profile, credentials filename,"\
	"mfa serial and the current mfa token token value. you passed {current_len} args.".format(current_len=len(argv)-1))
	start_aws_profile = argv[1]; mfa_aws_profile = argv[2]; creds_file = argv[3]; mfa_serial = argv[4]; mfa_token = argv[5];
	aws_login_command = "aws --profile {aws_profile} sts get-session-token --serial-number {mfa_serial} "\
	"--token-code {token_code}".format(aws_profile=start_aws_profile,token_code=mfa_token,mfa_serial=mfa_serial)
	aws_login_info = loads(run(aws_login_command.split(' '), stdout=PIPE).stdout)
	credentials = ConfigParser()
	credentials.read(creds_file)
	credentials[mfa_aws_profile]["aws_access_key_id"]=aws_login_info["Credentials"]["AccessKeyId"]
	credentials[mfa_aws_profile]["aws_secret_access_key"]=aws_login_info["Credentials"]["SecretAccessKey"]
	credentials[mfa_aws_profile]["aws_session_token"]=aws_login_info["Credentials"]["SessionToken"]
	with open(creds_file, 'w') as creds:
	credentials.write(creds)