README ¶
aws-mfa
A small tool to help with MFA on AWS cli
Installation
Check the releases page for a binary that supports your system.
For Mac M series users, you can use the darwin_arm64
binary. For all Mac users, you'll also need to allow the execution of the tool in your security center.
Add the binary to somewhere that is available in your PATH
variable. Then make it executable. I would recommend. chmod 550 aws_mfa
for mac and linux users.
Usage
The tool relies on 2 different accounts being available in your ~/.aws/credentials
file.
The source account will be used to generate the MFA token. The destination account will have the temporary credentials written to it.
Optional but recommended, you can specify a MFA serial (arn) for the tool to use when requesting the MFA token. If you do not specify one, the tool will use the default MFA serial (arn) for the source account. This is added to the configuration file. See below.
When you use this tool you will need to give it the 6 digit MFA token that is generated by your MFA device using the -c
flag. However due to the latency of making the calls to AWS you will need to make sure that you have at least a few seconds left on your MFA token before you run the tool.
Please check the help menu for arguments that can be passed to the tool. However some usage examples are below.
Show the Help menu.
aws_mfa -h
Configuration file
[profile acc1-mfa]
mfa_serial = arn:aws:iam::123456789:mfa/my-mfa-device
# This value is rewritten each time the tool gets new credentials.
mfa_expiration = 2023-06-29T08:19:05Z
Credentials file
Generally found in ~/.aws/credentials
# This is the source account. The credentials here will be used to generate the temporary credentials.
# This profile needs to have a config file entry that will be used to get the MFA serial (arn) and write the expiration time.
[acc1-mfa]
aws_access_key_id = AKIAVVM5SVA7M3CRPVH
aws_secret_access_key = y4q6X8b3WHAByCxJvtAKiKQnVr
# This is the destination account. The credentials here will be updated with the temporary credentials.
[acc1]
aws_access_key_id = AK123ABCDEF456GHIJKL
aws_secret_access_key = 7yfhtoh7J3PBkjksBnybXu72TX
aws_session_token = QMy3S8D3BDVW4xJNMyKBjbg6Up/VoNhH53v528NmV2Jf6kdbLsYUy
Usage Examples
Get a new session token.
aws_mfa -s acc1-mfa -d acc1 -c 123456
Get a new session token with no output to the terminal. Useful for scripts.
aws_mfa -s acc1-mfa -d acc1 -c 123456 -q
Check the expiration time of the current session token.
aws_mfa -s acc1-mfa -t
Check the expiration time of the current session token with no output to the terminal. Useful for scripts.
aws_mfa -s acc1-mfa -t -q
Consider making an alias to make it easier to use. For example:
alias aws-mfa='aws_mfa -s acc1-mfa -d acc1 -c'
# Usage: this will allow you to just add your 6 digit MFA code and you're done.
# - Milage may vary depending on your shell and number of accounts you need to auth against.
aws-mfa 123456
AWS Documentation
Although the IAM policies needed are beyond the scope of this tool. This document should get you going to enable MFA in your account:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
Documentation ¶
There is no documentation for this package.