rch317/mfa_explanation.md

## mfa_explanation.md

      
    Raw
  

              mfa_explanation.md
            
          
    So - the basics.   First my script assumes that you already have the AWS CLI tool
configured and ready to go.  That would mean you have an .aws directory, with at least
a config and credentials file:
.aws/credentials

[default]
aws_access_key_id = ANACCESSKEYIDGOESHERE
aws_secret_access_key = thesecretaccesskeygoesrighthere

.aws/config

[default]
output = json
region = us-east-2

The script will expect to see an [mfa] block in the .aws/credentials file, so add that:
#### .aws/credentials
[default]
aws_access_key_id = ANACCESSKEYIDGOESHERE
aws_secret_access_key = thesecretaccesskeygoesrighthere

[mfa]
output=json
region=us-east-2
aws_access_key_id=MFASCRIPTCHANGESTHIS
aws_secret_access_key=TheMFAScriptWillChangeThis
aws_session_token=TheMFAScriptWillChangeThistoo.....

When the mfa script executes it runs the following command:
aws sts get-session-token --serial-number arn:aws:iam::0123456789:mfa/rob.hough --token-code 123456 --output text

The --serial-number parameter will expect to be YOUR serial number, not mine. Which is why you need to
edit the script and modify the AWS_DEVICE variable.
The above command returns (I'm using json here) something like this:
{
    "Credentials": {
        "AccessKeyId": "ASIARDFLBAVZY6NA2WF4",
        "SecretAccessKey": "SCvMQzXASV5HxWseHqelgn8uZfcE2wT",
        "SessionToken": "FQoGZXIvYXdzEKP//////////wEaDEjgNotJmXKylgKwQSKwAS+VeJ0dwb9uQ3BX98cPFmblKn2rALPnw10lfcPKBJXd+COsQSnWLbgVcUpfNCXa0WwYicB25jxLVwtD3QhgnmL9Ni8Nw0u9oiFDHarDFwQEJb77K4IRQULce+kBrOz4mJYoWoTKkc6OV4HeXYsw0mpxRO7BbdLBed2Eckcuzzyoki/4FCaFAh4PJrhHXeKMfG8+gF",
        "Expiration": "2019-07-04T05:17:59Z"
    }
}

Using some sedFu;  I extract those values and save them out to my credentials file,
replacing everything AFTER the [mfa] line.
So based on the credentials created above - it would create a new [mfa] block in the credentials
file that looked like this:
[mfa]
output=json
region=us-east-2
aws_access_key_id=ASIARDFLBAVZY6NA2WF4
aws_secret_access_key=SCvMQzXASV5HxWseHqelgn8uZfcE2wT
aws_session_token=FQoGZXIvYXdzEKP//////////wEaDEjgNotJmXKylgKwQSKwAS+VeJ0dwb9uQ3BX98cPFmblKn2rALPnw10lfcPKBJXd+COsQSnWLbgVcUpfNCXa0WwYicB25jxLVwtD3QhgnmL9Ni8Nw0u9oiFDHarDFwQEJb77K4IRQULce+kBrOz4mJYoWoTKkc6OV4HeXYsw0mpxRO7BbdLBed2Eckcuzzyoki/4FCaFAh4PJrhHXeKMfG8+gF

It also creates a ~/.token_file;  I used this because some tools that I use also pull
the basic environment variables. So this allows me to import the credentials into my environment vars. An added bonus
the ability to source this into various terminals without having to get a new token for each one.
$ source ~/.token_file

$ cat ~/.token_file
export AWS_ACCESS_KEY_ID="ASIARDFLBAVZY6NA2WF4"
export AWS_SECRET_ACCESS_KEY="SCvMQzXASV5HxWseHqelgn8uZfcE2wT"
export AWS_SESSION_TOKEN="FQoGZXIvYXdzEKP//////////wEaDEjgNotJmXKylgKwQSKwAS+VeJ0dwb9uQ3BX98cPFmblKn2rALPnw10lfcPKBJXd+COsQSnWLbgVcUpfNCXa0WwYicB25jxLVwtD3QhgnmL9Ni8Nw0u9oiFDHarDFwQEJb77K4IRQULce+kBrOz4mJYoWoTKkc6OV4HeXYsw0mpxRO7BbdLBed2Eckcuzzyoki/4FCaFAh4PJrhHXeKMfG8+gF"
export AWS_SECURITY_TOKEN="FQoGZXIvYXdzEKP//////////wEaDEjgNotJmXKylgKwQSKwAS+VeJ0dwb9uQ3BX98cPFmblKn2rALPnw10lfcPKBJXd+COsQSnWLbgVcUpfNCXa0WwYicB25jxLVwtD3QhgnmL9Ni8Nw0u9oiFDHarDFwQEJb77K4IRQULce+kBrOz4mJYoWoTKkc6OV4HeXYsw0mpxRO7BbdLBed2Eckcuzzyoki/4FCaFAh4PJrhHXeKMfG8+gF"

Notes

On MY laptop;  I make prolific use of .dotfiles; and have a directory called .vars;  I just drop files into that directory
and they will get sourced every time I open a new terminal/login.  That works something like this:
### Load various environment vars
myVars="${HOME}/.vars"
for file in $(ls ${myVars}/)
  do
    file="${myVars}/${file}"

    if [[ -r "${file}" ]] && [[ -f "${file}" ]]; then
      source "${file}"
    fi
  done
unset file

By saving my .token_file to ~/.vars;   these variables are always set for me.