- Attach provided IAM policy for applicable IAM users
- Login to AWS Console using your credentials (It's ok to see Unauthorized errors within the page)
- Click on your name on top right corner and select My Security Credentials or once logged-in, navigate to https://console.aws.amazon.com/iam/home?#my_password
- Add MFA Device (Either hardware or virtual such as Microsoft Authenticator or Okta-Verify)
- Make a note of your MFA device ARN if you wish to use AWS CLI
- Once enabled, users cannot disable MFA!
- Provided scripts assume AWS-CLI has been configured with a default region and default output format (JSON).
- Scripts add temporary MFA enabled AWS credentials to enviroment variables within the bash/powershell session and are destroyed once session is closed.
- If you are using an EC2 instance or assuming a role in order to access AWS-CLI, you may simply put an additional parameter to aws config file as follows instead and AWS-CLI will automatically check for MFA code. (See AWS-CLI Reference) mfa_serial =
You'll need to call AWS STS service in order to request a new set of temporary credentials while also providing the MFA token. Provided scripts will assist you in doing so.
-
authenticate.sh for BASH (requires JQ)
chmod +x authenticate.sh ./authenticate.sh -
authenticate.sh for OSX (requires JQ)
chmod +x authenticate.sh source ./authenticate.sh -
authenticate.ps1 for PowerShell
.\authenticate.ps1
- AWS-CLI configuration profile name
can be hard coded - MFA device serial number or ARN
can be hard coded - MFA code
MIT
Nick Germi