MFA

MFA using AWS access keys

Using the AWS CLI on accounts with MFA enabled requires the user to obtain temporary credentials from STS. For this, we've created a script creating a 12 hour session within the current shell, automatically creating an authenticator code.

Usage

$ awsauth
Installing dependencies if needed...
Removing existing env variables...
Obtaining AWS session credentials for user: <aws_iam_username>
Success

Install

Create a function calling the script in your shell configuration file - .zshrc, .bash_profile etc.

function authaws() {
        . ./authaws.sh <aws_master_account_id> <aws_iam_username> <aws_totp_secret>
}

Create the script file - e.g. authaws.sh

#!/bin/bash

AWS_IAM_USERNAME=""
AWS_TOTP_SECRET=""
AWS_ACCOUNT_ID=""

function __clear_env() {
  echo "Removing existing env variables..."

  # Unset existing environment variables
  unset AWS_SESSION_TOKEN
  unset AWS_SECRET_ACCESS_KEY
  unset AWS_ACCESS_KEY_ID
}

function __get_aws_credentials() {
  echo "Obtaining AWS session credentials for user: $AWS_IAM_USERNAME"

  code=$(oathtool --base32 --totp $AWS_TOTP_SECRET)
  mfa="arn:aws:iam::$AWS_ACCOUNT_ID:mfa/$AWS_IAM_USERNAME"

  # Get the credentials from AWS and store the response in a variable
  creds=`aws sts get-session-token --duration-seconds 43200 --serial-number $mfa --token-code $code`

  # Parse the response
  access_key=`echo $creds | jq .Credentials.AccessKeyId`
  secret_key=`echo $creds | jq .Credentials.SecretAccessKey`
  session_token=`echo $creds | jq .Credentials.SessionToken`

  # Set environment variables -- sed statement strips the quotation marks
  export AWS_ACCESS_KEY_ID=`echo $access_key | sed -e 's/^"//' -e 's/"$//'`
  export AWS_SECRET_ACCESS_KEY=`echo $secret_key | sed -e 's/^"//' -e 's/"$//'`
  export AWS_SESSION_TOKEN=`echo $session_token | sed -e 's/^"//' -e 's/"$//'`

  echo "Success"
}

function __install_dependancies() {
  echo "Installing dependencies if needed..."

  # Check if jq is installed, else install - required to parse the response from aws sts
  type jq >/dev/null 2>&1 || brew install jq

  # Check if oauthtool is installed, else install - required for MFA TOTP code generation
  type oathtool >/dev/null 2>&1 || brew install oath-toolkit
}

if [[ -z $1 ]] || [[ -z $2 ]] || [[ -z $3 ]] ; then
  echo "Ivalid args: aws_account_id aws_iam_username aws_totp_secret"
else
  AWS_ACCOUNT_ID=$1
  AWS_IAM_USERNAME=$2
  AWS_TOTP_SECRET=$3
  __install_dependancies
  __clear_env
  __get_aws_credentials
fi

You'll find the TOTP secret in the "Add MFA device" menu.

PreviousBasic setupNextEKS

Last updated

Was this helpful?