Backtick Knowledge Base
  • Backtick Knowledge Base
  • 📊Statistics
    • Kernel Density Estimation
    • Tests
  • 🍂Machine Learning
    • Fit and predict
    • Encoding
    • Feature Scaling
    • Pipeline
    • Model Evaluation & Selection
      • The Bias-Variance Decomposition
      • Kullback–Leibler Divergence
      • AIC & BIC
      • Cross-Validation
    • Feature Selection
    • Dimensionality Reduction
    • Clustering
    • Pandas
  • 🧠Deep Learning
  • 🐍Python
    • Beautiful Data
    • S3
      • List bucket items
      • Delete bucket items
      • Get objects
      • Upload objects
      • Get files
      • Upload files
      • Read .csv-file to dataframe
      • Write dataframe to .csv-file
  • ☁️Cloud
    • GCP
    • AWS
      • Users & Policies
        • Basic setup
        • MFA
      • EKS
        • Setup
        • Kube Config
        • Dashboard
      • S3
        • Copying buckets
  • ❖ Distributed Computing
    • Map-Reduce
    • Spark
    • Dask
  • ⎈ Kubernetes
Powered by GitBook
On this page

Was this helpful?

  1. ☁️Cloud
  2. AWS
  3. Users & Policies

MFA

MFA using AWS access keys

Using the AWS CLI on accounts with MFA enabled requires the user to obtain temporary credentials from STS. For this, we've created a script creating a 12 hour session within the current shell, automatically creating an authenticator code.

Usage

$ awsauth
Installing dependencies if needed...
Removing existing env variables...
Obtaining AWS session credentials for user: <aws_iam_username>
Success

Install

Create a function calling the script in your shell configuration file - .zshrc, .bash_profile etc.

function authaws() {
        . ./authaws.sh <aws_master_account_id> <aws_iam_username> <aws_totp_secret>
}

Create the script file - e.g. authaws.sh

#!/bin/bash

AWS_IAM_USERNAME=""
AWS_TOTP_SECRET=""
AWS_ACCOUNT_ID=""

function __clear_env() {
  echo "Removing existing env variables..."

  # Unset existing environment variables
  unset AWS_SESSION_TOKEN
  unset AWS_SECRET_ACCESS_KEY
  unset AWS_ACCESS_KEY_ID
}

function __get_aws_credentials() {
  echo "Obtaining AWS session credentials for user: $AWS_IAM_USERNAME"

  code=$(oathtool --base32 --totp $AWS_TOTP_SECRET)
  mfa="arn:aws:iam::$AWS_ACCOUNT_ID:mfa/$AWS_IAM_USERNAME"

  # Get the credentials from AWS and store the response in a variable
  creds=`aws sts get-session-token --duration-seconds 43200 --serial-number $mfa --token-code $code`

  # Parse the response
  access_key=`echo $creds | jq .Credentials.AccessKeyId`
  secret_key=`echo $creds | jq .Credentials.SecretAccessKey`
  session_token=`echo $creds | jq .Credentials.SessionToken`

  # Set environment variables -- sed statement strips the quotation marks
  export AWS_ACCESS_KEY_ID=`echo $access_key | sed -e 's/^"//' -e 's/"$//'`
  export AWS_SECRET_ACCESS_KEY=`echo $secret_key | sed -e 's/^"//' -e 's/"$//'`
  export AWS_SESSION_TOKEN=`echo $session_token | sed -e 's/^"//' -e 's/"$//'`

  echo "Success"
}

function __install_dependancies() {
  echo "Installing dependencies if needed..."

  # Check if jq is installed, else install - required to parse the response from aws sts
  type jq >/dev/null 2>&1 || brew install jq

  # Check if oauthtool is installed, else install - required for MFA TOTP code generation
  type oathtool >/dev/null 2>&1 || brew install oath-toolkit
}

if [[ -z $1 ]] || [[ -z $2 ]] || [[ -z $3 ]] ; then
  echo "Ivalid args: aws_account_id aws_iam_username aws_totp_secret"
else
  AWS_ACCOUNT_ID=$1
  AWS_IAM_USERNAME=$2
  AWS_TOTP_SECRET=$3
  __install_dependancies
  __clear_env
  __get_aws_credentials
fi

You'll find the TOTP secret in the "Add MFA device" menu.

PreviousBasic setupNextEKS

Last updated 5 years ago

Was this helpful?