Last active
October 29, 2019 17:50
-
-
Save ndt75/25f0415be8241c8bcc2967bbbc986ac3 to your computer and use it in GitHub Desktop.
Authenticate AWS CLI with MFA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function devmfa() { | |
| ################################################################################################## | |
| # TODO: fill out these 2 variables | |
| ################################################################################################## | |
| # This is the profile with access keys associated with your AWS user account. | |
| # These keys are useless when MFA is enabled or required for the CLI. | |
| # However, we can use these keys to call "aws sts get-session-token" along with the MFA code | |
| # to get a set of temporary credentials and store then in AWS env variables for the CLI to consume. | |
| # i.e. this profile should be existing in `.aws/credentials` | |
| aws_profile='<replace-with-profile>' | |
| # The mfa arn can be found under your user profile in AWS IAM console under "My security credentials" | |
| # e.g. arn:aws:iam::xxxxxxxxx:mfa/username | |
| mfa_arn='<replace-with-arn-of-the-mfa-device>' | |
| if [ -z "$1" ] | |
| then | |
| echo "Usage: devmfa <mfa-code>" | |
| else | |
| # make sure to unset any existing AWS env vars | |
| unset AWS_ACCESS_KEY_ID | |
| unset AWS_SECRET_ACCESS_KEY | |
| unset AWS_SESSION_TOKEN | |
| # default profile used by aws cli | |
| export AWS_PROFILE=$aws_profile | |
| # default aws region required by many resources | |
| export AWS_DEFAULT_REGION=us-west-2 | |
| # fetch the temporary credentials | |
| # token-code is what you get from your MFA (virtual device) like Google/Microsoft Authenticator | |
| session=$(aws sts get-session-token --serial-number $mfa_arn --token-code $1) | |
| # export the AWS env variables with the temporary credentials | |
| export AWS_ACCESS_KEY_ID=$(echo $session | jq -r .Credentials.AccessKeyId) | |
| export AWS_SECRET_ACCESS_KEY=$(echo $session | jq -r .Credentials.SecretAccessKey) | |
| export AWS_SESSION_TOKEN=$(echo $session | jq -r .Credentials.SessionToken) | |
| # unset the default profile so it doesn't override the env variables we just set | |
| unset AWS_PROFILE | |
| fi | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Download https://stedolan.github.io/jq/download/ so we can use it to parse the JSON output from the aws commands.
Add that function to your .bash_profile or wherever depending on your platform and set
<replace-with-profile>and<replace-with-arn-of-the-mfa-device>with your own account values. Make sure to refresh it:$ source ~/.bash_profileRun the function on your command line and pass in the MFA code you see in your Google/Microsoft Authenticator:
$ devmfa 961883That's it! If no errors, your AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN should be set to the temporary AWS credentials for you to use the CLI normally.
Test it by running a command to list all the S3 buckets in your account:
$ aws s3 lsNote: The temporary credentials last 12 hours by default so when they expire just run step #3 again to get new credentials .
Check out this link to extend the expiration up to 36 hours as needed:
https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/