Skip to content

Instantly share code, notes, and snippets.

@pjstein
Forked from anniejw6/alias.sh
Last active Apr 29, 2020
Embed
What would you like to do?
MFA for the AWS cli

AWS MFA

Use the tools in this gist to use MFA Authentication from the command line.

Install

  1. Install the (AWS CLI)[https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html]
  2. On your AWS Account Page, generate your access keys ("My Security Credentials" > "Access keys for CLI, SDK, & API access" > "Create Access Key").
  3. Run aws configure. When it asks for your "AWS Access Key ID" and "AWS Secret Key", use those generated in [2].
  4. Place mfa-commands.sh, mfa.cfg, and mfa.sh in ~/.aws/.
  5. chmod +x ~/.aws/mfa.sh & chmod +x ~/.aws/mfa-commands.sh
  6. Update ~/.aws/mfa.cfg, replacing the values for <MY AWS ACCOUNT ID> and <MY AWS USER> with those for your account. Your can find these in your "User ARN" on your AWS Account Page.
  7. Add source ~/.aws/mfa-commands.sh to the end of your ~/.bashrc, ~/.bash_profile, or ~/.zshrc.
  8. source ~/<FILE FROM [7]>

Usage

  1. Get an MFA token from your authenticator app.
  2. Invoke aws-mfa <MFA TOKEN FROM [1]>

Usage

➜  aws-mfa git:(master) ✗ aws-mfa
Usage: /Users/peterstein/.aws/mfa.sh <MFA_TOKEN_CODE> <AWS_CLI_PROFILE>
Where:
  <MFA_TOKEN_CODE> = Code from virtual MFA device
  <AWS_CLI_PROFILE> = aws-cli profile usually in /Users/peterstein/.aws/config

Success

➜  aws-mfa git:(master) ✗ aws-mfa 111111
We've set your credentials in this shell
Generated at: '2020-01-03 17:42:36'
These credentials are valid for *12 hours*

Notes on Effective Usage

  • Your credentials are only valid in the shell in which you invoked aws-mfa. To use those credentials in another shell, you can run aws-mfa-reup.
#!/usr/bin/env bash
aws-mfa-print-info()
{
echo "We've set your credentials in this shell"
echo "Generated at: '${EPHEMERAL_TOKEN_GENERATED_AT}'"
echo "These credentials are valid for *12 hours*"
unset EPHEMERAL_TOKEN_GENERATED_AT
}
aws-mfa()
{
~/.aws/mfa.sh $1 $2
if [ $? -eq 0 ]; then
source ~/.aws/ephemeral-token
aws-mfa-print-info
fi
}
aws-mfa-reup()
{
if [ -f "${HOME}/.aws/ephemeral-token" ]; then
source ~/.aws/ephemeral-token
aws-mfa-print-info
else
echo "Could not find your ephemeral token. Run aws-mfa to generate a new ephemeral token"
fi
}
default="arn:aws:iam::<MY AWS ACCOUNT ID>:mfa/<MY AWS USER>"
#!/usr/bin/env bash
#
# Sample for getting temp session token from AWS STS
#
# aws --profile youriamuser sts get-session-token --duration 3600 \
# --serial-number arn:aws:iam::012345678901:mfa/user --token-code 012345
#
# Once the temp token is obtained, you'll need to feed the following environment
# variables to the aws-cli:
#
# export AWS_ACCESS_KEY_ID='KEY'
# export AWS_SECRET_ACCESS_KEY='SECRET'
# export AWS_SESSION_TOKEN='TOKEN'
AWS_CLI=`which aws`
EPHEMERAL_TOKEN_FILE="${HOME}/.aws/ephemeral-token"
if [ $? -ne 0 ]; then
echo "AWS CLI is not installed; exiting"
exit 1
fi
if [[ $# -ne 1 && $# -ne 2 ]]; then
echo "Usage: $0 <MFA_TOKEN_CODE> <AWS_CLI_PROFILE>"
echo "Where:"
echo " <MFA_TOKEN_CODE> = Code from virtual MFA device"
echo " <AWS_CLI_PROFILE> = aws-cli profile usually in $HOME/.aws/config"
exit 2
fi
if [ ! -r ~/.aws/mfa.cfg ]; then
echo "No config found. Please create your mfa.cfg. See README.txt for more info."
exit 2
fi
AWS_CLI_PROFILE=${2:-default}
MFA_TOKEN_CODE=$1
ARN_OF_MFA=$(grep "^$AWS_CLI_PROFILE" ~/.aws/mfa.cfg | cut -d '=' -f2- | tr -d '"')
touch $EPHEMERAL_TOKEN_FILE
aws --profile $AWS_CLI_PROFILE sts get-session-token --duration 129600 \
--serial-number $ARN_OF_MFA --token-code $MFA_TOKEN_CODE --output text \
| awk '{printf("export AWS_ACCESS_KEY_ID=\"%s\"\nexport AWS_SECRET_ACCESS_KEY=\"%s\"\nexport AWS_SESSION_TOKEN=\"%s\"\n",$2,$4,$5)}' > $EPHEMERAL_TOKEN_FILE
echo "EPHEMERAL_TOKEN_GENERATED_AT=\"$(date '+%Y-%m-%d %H:%M:%S')\"" >> $EPHEMERAL_TOKEN_FILE
@goldblatt
Copy link

goldblatt commented Jan 3, 2020

had to chmod 744 mfa.sh but otherwise good to go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment