pjstein/mfa-commands.sh

## readme.md

      
    Raw
  

              readme.md
            
          
    AWS MFA

Use the tools in this gist to use MFA Authentication from the command line.
Install


Install the (AWS CLI)[https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html]
On your AWS Account Page, generate your access keys ("My Security Credentials" > "Access keys for CLI, SDK, & API access" > "Create Access Key").
Run aws configure. When it asks for your "AWS Access Key ID" and "AWS Secret Key", use those generated in [2].
Place mfa-commands.sh, mfa.cfg, and mfa.sh in ~/.aws/.
chmod +x ~/.aws/mfa.sh & chmod +x ~/.aws/mfa-commands.sh
Update ~/.aws/mfa.cfg, replacing the values for <MY AWS ACCOUNT ID> and <MY AWS USER> with those for your account. Your can find these in your "User ARN" on your AWS Account Page.
Add source ~/.aws/mfa-commands.sh to the end of your ~/.bashrc, ~/.bash_profile, or ~/.zshrc.
source ~/<FILE FROM [7]>

Usage


Get an MFA token from your authenticator app.
Invoke aws-mfa <MFA TOKEN FROM [1]>

Usage
➜  aws-mfa git:(master) ✗ aws-mfa
Usage: /Users/peterstein/.aws/mfa.sh <MFA_TOKEN_CODE> <AWS_CLI_PROFILE>
Where:
  <MFA_TOKEN_CODE> = Code from virtual MFA device
  <AWS_CLI_PROFILE> = aws-cli profile usually in /Users/peterstein/.aws/config

Success
➜  aws-mfa git:(master) ✗ aws-mfa 111111
We've set your credentials in this shell
Generated at: '2020-01-03 17:42:36'
These credentials are valid for *12 hours*

Notes on Effective Usage


Your credentials are only valid in the shell in which you invoked aws-mfa. To use those credentials in another shell, you can run aws-mfa-reup.


## mfa-commands.sh
#!/usr/bin/env bash

aws-mfa-print-info()
{
    echo "We've set your credentials in this shell"
    echo "Generated at: '${EPHEMERAL_TOKEN_GENERATED_AT}'"
    echo "These credentials are valid for *12 hours*"
    unset EPHEMERAL_TOKEN_GENERATED_AT
}

aws-mfa()
{
    ~/.aws/mfa.sh $1 $2
    if [ $? -eq 0 ]; then
        source ~/.aws/ephemeral-token
        aws-mfa-print-info
    fi
}

aws-mfa-reup()
{
    if [ -f "${HOME}/.aws/ephemeral-token" ]; then
        source ~/.aws/ephemeral-token
        aws-mfa-print-info
    else
        echo "Could not find your ephemeral token. Run aws-mfa to generate a new ephemeral token"
    fi
}

## mfa.cfg
default="arn:aws:iam::<MY AWS ACCOUNT ID>:mfa/<MY AWS USER>"

## mfa.sh
#!/usr/bin/env bash

#
# Sample for getting temp session token from AWS STS
#
# aws --profile youriamuser sts get-session-token --duration 3600 \
# --serial-number arn:aws:iam::012345678901:mfa/user --token-code 012345
#
# Once the temp token is obtained, you'll need to feed the following environment
# variables to the aws-cli:
#
# export AWS_ACCESS_KEY_ID='KEY'
# export AWS_SECRET_ACCESS_KEY='SECRET'
# export AWS_SESSION_TOKEN='TOKEN'

AWS_CLI=`which aws`
EPHEMERAL_TOKEN_FILE="${HOME}/.aws/ephemeral-token"

if [ $? -ne 0 ]; then
  echo "AWS CLI is not installed; exiting"
  exit 1
fi

if [[ $# -ne 1 && $# -ne 2 ]]; then
  echo "Usage: $0 <MFA_TOKEN_CODE> <AWS_CLI_PROFILE>"
  echo "Where:"
  echo "   <MFA_TOKEN_CODE> = Code from virtual MFA device"
  echo "   <AWS_CLI_PROFILE> = aws-cli profile usually in $HOME/.aws/config"
  exit 2
fi

if [ ! -r ~/.aws/mfa.cfg ]; then
  echo "No config found.  Please create your mfa.cfg.  See README.txt for more info."
  exit 2
fi

AWS_CLI_PROFILE=${2:-default}
MFA_TOKEN_CODE=$1
ARN_OF_MFA=$(grep "^$AWS_CLI_PROFILE" ~/.aws/mfa.cfg | cut -d '=' -f2- | tr -d '"')

touch $EPHEMERAL_TOKEN_FILE
aws --profile $AWS_CLI_PROFILE sts get-session-token --duration 129600 \
  --serial-number $ARN_OF_MFA --token-code $MFA_TOKEN_CODE --output text \
  | awk '{printf("export AWS_ACCESS_KEY_ID=\"%s\"\nexport AWS_SECRET_ACCESS_KEY=\"%s\"\nexport AWS_SESSION_TOKEN=\"%s\"\n",$2,$4,$5)}' > $EPHEMERAL_TOKEN_FILE
echo "EPHEMERAL_TOKEN_GENERATED_AT=\"$(date '+%Y-%m-%d %H:%M:%S')\"" >> $EPHEMERAL_TOKEN_FILE
	#!/usr/bin/env bash

	aws-mfa-print-info()
	{
	echo "We've set your credentials in this shell"
	echo "Generated at: '${EPHEMERAL_TOKEN_GENERATED_AT}'"
	echo "These credentials are valid for 12 hours"
	unset EPHEMERAL_TOKEN_GENERATED_AT
	}

	aws-mfa()
	{
	~/.aws/mfa.sh $1 $2
	if [ $? -eq 0 ]; then
	source ~/.aws/ephemeral-token
	aws-mfa-print-info
	fi
	}

	aws-mfa-reup()
	{
	if [ -f "${HOME}/.aws/ephemeral-token" ]; then
	source ~/.aws/ephemeral-token
	aws-mfa-print-info
	else
	echo "Could not find your ephemeral token. Run aws-mfa to generate a new ephemeral token"
	fi
	}
	#!/usr/bin/env bash

	#
	# Sample for getting temp session token from AWS STS
	#
	# aws --profile youriamuser sts get-session-token --duration 3600 \
	# --serial-number arn:aws:iam::012345678901:mfa/user --token-code 012345
	#
	# Once the temp token is obtained, you'll need to feed the following environment
	# variables to the aws-cli:
	#
	# export AWS_ACCESS_KEY_ID='KEY'
	# export AWS_SECRET_ACCESS_KEY='SECRET'
	# export AWS_SESSION_TOKEN='TOKEN'

	AWS_CLI=`which aws`
	EPHEMERAL_TOKEN_FILE="${HOME}/.aws/ephemeral-token"

	if [ $? -ne 0 ]; then
	echo "AWS CLI is not installed; exiting"
	exit 1
	fi

	if [[ $# -ne 1 && $# -ne 2 ]]; then
	echo "Usage: $0 <MFA_TOKEN_CODE> <AWS_CLI_PROFILE>"
	echo "Where:"
	echo " <MFA_TOKEN_CODE> = Code from virtual MFA device"
	echo " <AWS_CLI_PROFILE> = aws-cli profile usually in $HOME/.aws/config"
	exit 2
	fi

	if [ ! -r ~/.aws/mfa.cfg ]; then
	echo "No config found. Please create your mfa.cfg. See README.txt for more info."
	exit 2
	fi

	AWS_CLI_PROFILE=${2:-default}
	MFA_TOKEN_CODE=$1
	ARN_OF_MFA=$(grep "^$AWS_CLI_PROFILE" ~/.aws/mfa.cfg \| cut -d '=' -f2- \| tr -d '"')

	touch $EPHEMERAL_TOKEN_FILE
	aws --profile $AWS_CLI_PROFILE sts get-session-token --duration 129600 \
	--serial-number $ARN_OF_MFA --token-code $MFA_TOKEN_CODE --output text \
	\| awk '{printf("export AWS_ACCESS_KEY_ID=\"%s\"\nexport AWS_SECRET_ACCESS_KEY=\"%s\"\nexport AWS_SESSION_TOKEN=\"%s\"\n",$2,$4,$5)}' > $EPHEMERAL_TOKEN_FILE
	echo "EPHEMERAL_TOKEN_GENERATED_AT=\"$(date '+%Y-%m-%d %H:%M:%S')\"" >> $EPHEMERAL_TOKEN_FILE