aws-mfa

command module
v0.0.0-...-60cd372 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 29, 2023 License: GPL-3.0 Imports: 11 Imported by: 0

README

aws-mfa

A small tool to help with MFA on AWS cli

Installation

Check the releases page for a binary that supports your system.

For Mac M series users, you can use the darwin_arm64 binary. For all Mac users, you'll also need to allow the execution of the tool in your security center.

Add the binary to somewhere that is available in your PATH variable. Then make it executable. I would recommend. chmod 550 aws_mfa for mac and linux users.

Usage

The tool relies on 2 different accounts being available in your ~/.aws/credentials file.

The source account will be used to generate the MFA token. The destination account will have the temporary credentials written to it.

Optional but recommended, you can specify a MFA serial (arn) for the tool to use when requesting the MFA token. If you do not specify one, the tool will use the default MFA serial (arn) for the source account. This is added to the configuration file. See below.

When you use this tool you will need to give it the 6 digit MFA token that is generated by your MFA device using the -c flag. However due to the latency of making the calls to AWS you will need to make sure that you have at least a few seconds left on your MFA token before you run the tool.

Please check the help menu for arguments that can be passed to the tool. However some usage examples are below.

Show the Help menu.

aws_mfa -h
Configuration file
[profile acc1-mfa]
mfa_serial     = arn:aws:iam::123456789:mfa/my-mfa-device
# This value is rewritten each time the tool gets new credentials.
mfa_expiration = 2023-06-29T08:19:05Z
Credentials file

Generally found in ~/.aws/credentials

# This is the source account. The credentials here will be used to generate the temporary credentials.
# This profile needs to have a config file entry that will be used to get the MFA serial (arn) and write the expiration time.
[acc1-mfa]
aws_access_key_id     = AKIAVVM5SVA7M3CRPVH
aws_secret_access_key = y4q6X8b3WHAByCxJvtAKiKQnVr

# This is the destination account. The credentials here will be updated with the temporary credentials.
[acc1]
aws_access_key_id     = AK123ABCDEF456GHIJKL
aws_secret_access_key = 7yfhtoh7J3PBkjksBnybXu72TX
aws_session_token     = QMy3S8D3BDVW4xJNMyKBjbg6Up/VoNhH53v528NmV2Jf6kdbLsYUy
Usage Examples

Get a new session token.

aws_mfa -s acc1-mfa -d acc1 -c 123456

Get a new session token with no output to the terminal. Useful for scripts.

aws_mfa -s acc1-mfa -d acc1 -c 123456 -q

Check the expiration time of the current session token.

aws_mfa -s acc1-mfa -t

Check the expiration time of the current session token with no output to the terminal. Useful for scripts.

aws_mfa -s acc1-mfa -t -q

Consider making an alias to make it easier to use. For example:

alias aws-mfa='aws_mfa -s acc1-mfa -d acc1 -c'

# Usage: this will allow you to just add your 6 digit MFA code and you're done.
# - Milage may vary depending on your shell and number of accounts you need to auth against.
aws-mfa 123456

AWS Documentation

Although the IAM policies needed are beyond the scope of this tool. This document should get you going to enable MFA in your account:

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.