- get YOUR_MFA_SERIAL from IAM web console.
- get YOUR_MFA_CODE from your MFA device/app.
aws sts get-session-token --serial-number YOUR_MFA_SERIAL --token-code YOUR_MFA_CODE --duration 129600
- Edit `~/.aws/credentials adding or editing an [mfa] section
[mfa] output = json region = us-east-1 aws_access_key_id = FILL IN aws_secret_access_key = FILL IN aws_session_token = FILL IN
- run aws/eb commands with
--profile mfa
AWS accesskey and token are usually stored in ~/.aws/credentials
. This location is shared for the aws
and eb
commands.
When AWS CLI or EB CLI require that you use MFA, make the following adjustments:
First assuming you've setup MFA on amazon already (or if you haven't you can edit it here):
- browse to IAM in the AWS web console. https://console.aws.amazon.com/iam/home?region=us-east-1
- select users and choose yourself.
- In the Security Credentials tab, find your Assigned MFA device (or click Manage to add one)
- Copy the MFA device serial number. It should look like:
arn:aws:iam::99123456789:mfa/iam.user
Hang onto this serial number.
Open your MFA device/app etc and get a code.
Using your MFA device ID, execute in your console:
aws sts get-session-token --serial-number YOUR_MFA_SERIAL --token-code YOUR_MFA_CODE --duration 129600
Be sure to replace YOUR_MFA_CODE with the MFA code you just retrieved. Replace YOUR_MFA_SERIAL with the serial from the Amazon web console. duration 129600 is 36 hours, that's the max amazon allows.
This command dumps some JSON that looks like:
{
"Credentials": {
"AccessKeyId": "ASIABLAHBLAHBLAHBLAH",
"SecretAccessKey": "FZW3S7Ua6j23kl9/uu+9WpNFAKEFAKEFAKEFAKETA",
"SessionToken": "FAKEXYWUFXdzEOX//////////wEaDDG+FAKE241+4NpvUzdhjDEHJw0e6yKwAVjTA7GRiGDwFY241+4NzHMD+DDpvUzdhjDEHJw0NyQOYSANE9z4V/Zbz0RQFYatLwn3mirnZnSPld1IeTWZhB21cnVLnDtpVJPOAJjIwkeouaho4NszUPzPJeVZNTu8mPyPVgGRMhDd7M43yCOqhvZY4GI771D1QMzvvb5TGl0w9QTepKS5NpLDrwNVewJ4F",
"Expiration": "2018-10-13T07:24:20Z"
}
}
In your editor open ~/.aws/credentials
.
You should see a section like:
[default]
aws_access_key_id = AKIBLABLBAHBLAHLPA
aws_secret_access_key = rf783alkjfioun3FiuF4SnC/9oweoJ+l
Add a section below that using the details from the JSON output.
[mfa]
output = json
region = us-east-1
aws_access_key_id = ASIABLAHBLAHBLAHBLAH
aws_secret_access_key = FZW3S7Ua6j23kl9/uu+9WpNFAKEFAKEFAKEFAKETA
aws_session_token = FAKEXYWUFXdzEOX//////////wEaDDG+FAKE241+4NpvUzdhjDEHJw0e6yKwAVjTA7GRiGDwFY241+4NzHMD+DDpvUzdhjDEHJw0NyQOYSANE9z4V/Zbz0RQFYatLwn3mirnZnSPld1IeTWZhB21cnVLnDtpVJPOAJjIwkeouaho4NszUPzPJeVZNTu8mPyPVgGRMhDd7M43yCOqhvZY4GI771D1QMzvvb5TGl0w9QTepKS5NpLDrwNVewJ4F
Finally you should be able to login using aws or eb by doing:
aws --profile mfa
eb --profile mfa
copying to company wiki