AWS MFA automation script for aws-cli operations.
If you use a policy with BoolIfExists{"aws:MultiFactorAuthPresent": "false"} to ensure users use MFA on console, they api calls through the aws-cli will give AccessDenied error. This happen cause aws-cli use the long terms credentials where MultiFactorAuthPresent doesnt exists. In that case this users have to use temporary credentials with STS, so, this script automate those tasks doing the following:
- Execute aws configure with credentials who have to had permissions to call aws sts get-session-token command
- Execute the aws sts get-session-token command for a user, passing as parameter the mfa code
- Extract from the json response the temporary credentials
- Execute aws configure for those temporary credentials and optionally for a specific profile
Before execute, edit the next values on file aws-login.properties:
- aws_account = aws account number
- user_name = name of the user who use aws-cli
- tmp_acces_key_id = aws_access_key_id with permissions to invoke: aws sts get-session-token
- tmp_access_key = aws_secret_access_key with permissions to invoke: aws sts get-session-token
./aws-login.sh help
Example:
aws-login.sh -c 123456
aws-login.sh -c 123456 -p apside -r us-east-1
-c 'number': multifactor code.
-p 'string': (optional) profile name, if not informed use 'default'.
-r 'string': (optional) region, if not informed use 'us-east-1'.