Skip to content

Instantly share code, notes, and snippets.

@tgaff

tgaff/mfa authentication.md

Last active November 27, 2023 16:40
Show Gist options
  • Save tgaff/afc0092a7abd24ec8512c5e0a35b9019 to your computer and use it in GitHub Desktop.
Save tgaff/afc0092a7abd24ec8512c5e0a35b9019 to your computer and use it in GitHub Desktop.
Download ZIP
mfa authentication in aws
Raw
mfa authentication.md

multi-factor authentication for aws cli and eb cli commands

tldr

  1. get YOUR_MFA_SERIAL from IAM web console.
  2. get YOUR_MFA_CODE from your MFA device/app.
  3. aws sts get-session-token --serial-number YOUR_MFA_SERIAL --token-code YOUR_MFA_CODE --duration 129600
  4. Edit `~/.aws/credentials adding or editing an [mfa] section 
    [mfa]
output = json
region = us-east-1
aws_access_key_id =  FILL IN
aws_secret_access_key =  FILL IN
aws_session_token =  FILL IN
  5. run aws/eb commands with --profile mfa

full text

AWS accesskey and token are usually stored in ~/.aws/credentials. This location is shared for the aws and eb commands.

When AWS CLI or EB CLI require that you use MFA, make the following adjustments:

First assuming you've setup MFA on amazon already (or if you haven't you can edit it here):

  1. browse to IAM in the AWS web console. https://console.aws.amazon.com/iam/home?region=us-east-1
  2. select users and choose yourself.
  3. In the Security Credentials tab, find your Assigned MFA device (or click Manage to add one)
  4. Copy the MFA device serial number. It should look like: arn:aws:iam::99123456789:mfa/iam.user

Hang onto this serial number.

generate temporary MFA auth'd credentials

Open your MFA device/app etc and get a code.

Using your MFA device ID, execute in your console:

aws sts get-session-token --serial-number YOUR_MFA_SERIAL --token-code YOUR_MFA_CODE --duration 129600

Be sure to replace YOUR_MFA_CODE with the MFA code you just retrieved. Replace YOUR_MFA_SERIAL with the serial from the Amazon web console. duration 129600 is 36 hours, that's the max amazon allows.

This command dumps some JSON that looks like:

{
    "Credentials": {
        "AccessKeyId": "ASIABLAHBLAHBLAHBLAH",
        "SecretAccessKey": "FZW3S7Ua6j23kl9/uu+9WpNFAKEFAKEFAKEFAKETA",
        "SessionToken": "FAKEXYWUFXdzEOX//////////wEaDDG+FAKE241+4NpvUzdhjDEHJw0e6yKwAVjTA7GRiGDwFY241+4NzHMD+DDpvUzdhjDEHJw0NyQOYSANE9z4V/Zbz0RQFYatLwn3mirnZnSPld1IeTWZhB21cnVLnDtpVJPOAJjIwkeouaho4NszUPzPJeVZNTu8mPyPVgGRMhDd7M43yCOqhvZY4GI771D1QMzvvb5TGl0w9QTepKS5NpLDrwNVewJ4F",
        "Expiration": "2018-10-13T07:24:20Z"
    }
}

edit the credentials file

In your editor open ~/.aws/credentials.

You should see a section like:

[default]
aws_access_key_id = AKIBLABLBAHBLAHLPA
aws_secret_access_key = rf783alkjfioun3FiuF4SnC/9oweoJ+l

Add a section below that using the details from the JSON output.

[mfa]
output = json
region = us-east-1
aws_access_key_id =  ASIABLAHBLAHBLAHBLAH
aws_secret_access_key = FZW3S7Ua6j23kl9/uu+9WpNFAKEFAKEFAKEFAKETA
aws_session_token = FAKEXYWUFXdzEOX//////////wEaDDG+FAKE241+4NpvUzdhjDEHJw0e6yKwAVjTA7GRiGDwFY241+4NzHMD+DDpvUzdhjDEHJw0NyQOYSANE9z4V/Zbz0RQFYatLwn3mirnZnSPld1IeTWZhB21cnVLnDtpVJPOAJjIwkeouaho4NszUPzPJeVZNTu8mPyPVgGRMhDd7M43yCOqhvZY4GI771D1QMzvvb5TGl0w9QTepKS5NpLDrwNVewJ4F

Finally you should be able to login using aws or eb by doing:

aws --profile mfa
eb --profile mfa
@ndp
Copy link

ndp commented Oct 27, 2018

copying to company wiki

@lane-eb
Copy link

lane-eb commented Sep 9, 2020

Many thanks. Saved me a lot times.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment