AWS Credentials, CLI and MFA 24 August 2021
We recently started enforcing MFA on our AWS accounts which for the most part has been seamless, the exception being the requirement for new credentials to be generated every day (or rather for each session) when using the CLI. In order to do this I’ve ended up creating a simple script based on an example created by DevNambi and maintaining two AWS profiles for each account. The first AWS profile is for my standard user credentials that allow me to request more privileges using my MFA device; the second AWS profile is for the session credentials generated using my MFA token to gain more privileges.
To start my
.aws/credentials looks like:
[production-mfa] aws_secret_access_key = *** aws_access_key_id = ***
After I run my credentials script it looks like:
[production-mfa] aws_secret_access_key = *** aws_access_key_id = *** [production] aws_secret_access_key = *** aws_access_key_id = *** aws_session_token = ***
The session based credentials get updated every time I run the script using the current MFA token and give me full access via the AWS cli.
#!/bin/bash MFA_PROFILE=$1 PROFILE=$2 SERIAL_NUMBER=$3 TOKEN=$4 if [[ -z $MFA_PROFILE || -z $PROFILE || -z $SERIAL_NUMBER || -z $TOKEN ]]; then echo "Usage: aws-creds.sh <mfa profile> <profile> <serial number> <token>" exit -1 fi read -p "You are about to request session creditionals for profile: [$PROFILE] using MFA profile: [$MFA_PROFILE] for device: [$SERIAL_NUMBER] with token: [$TOKEN]. Are you sure (y/n)? " -n 1 -r echo # move to a new line if [[ $REPLY =~ ^[Yy]$ ]] then CREDJSON=`aws sts get-session-token --profile $MFA_PROFILE --serial-number $SERIAL_NUMBER --token-code $TOKEN` ACCESSKEY="$(echo $CREDJSON | jq '.Credentials.AccessKeyId' | sed 's/"//g')" SECRETKEY="$(echo $CREDJSON | jq '.Credentials.SecretAccessKey' | sed 's/"//g')" SESSIONTOKEN="$(echo $CREDJSON | jq '.Credentials.SessionToken' | sed 's/"//g')" aws configure set aws_access_key_id $ACCESSKEY --profile $PROFILE aws configure set aws_secret_access_key $SECRETKEY --profile $PROFILE aws configure set aws_session_token $SESSIONTOKEN --profile $PROFILE fi
The script requires 4 arguments:
- the AWS profile that will be used to request a session token
- the AWS profile that the session token will stored under
- the serial number of the MFA device
- the MFA token
I have a few aliases set up in my
.profile that allows me to easily update the credentials for each account:
alias aws-creds-test="$SCRIPTS_PATH/aws-creds.sh ecogy-test-mfa ecogy-test arn:aws:iam::***:mfa/*** $1"
Now I just call
aws-creds-test <current token> with the current MFA token and the
ecogy-test profile is available to use with full user privileges.