aws-mfa makes it easy to manage your AWS SDK Security Credentials when Multi-Factor Authentication (MFA) is enforced on your AWS account. It automates the process of obtaining temporary credentials from the AWS Security Token Service and updating your AWS Credentials file (located at ~/.aws/credentials). Traditional methods of managing MFA-based credentials requires users to write their own bespoke scripts/wrappers to fetch temporary credentials from STS and often times manually update their AWS credentials file.
The concept behind aws-mfa is that there are 2 types of credentials:
long-term- Your typcial AWS access keys, consisting of anAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYshort-term- A temporary set of credentials that are generated by AWS STS using yourlong-termcredentials in combination with your MFA device serial number (either a hardware device serial number or virtual device ARN) and one time token code. Your short term credentials are the credentials that are actively utilized by the AWS SDK in use.
If you haven't yet enabled multi-factor authentication for AWS API access, check out the AWS article on doing so.
In a typical AWS credentials file (located at ~/.aws/credentials), credentials are stored in sections, denoted by a pair of brackets: []. The [default] section stores your default credentials. You can store multiple sets of credentials using different profile names. If no profile is specified, the [default] section is always used.
Long term credential sections are identified by the convention [<profile_name>-long-term]. Short term credentials are identified by the typical convention: [<profile_name>]. The following illustrates how you would configure you credentials file using aws-mfa with your default credentials:
After running aws-mfa, your credentials file would read:
Similarly, if you utilize a credentials profile named development, your credentials file would look like:
After running aws-mfa, your credentials file would read:
--device arn:aws:iam::123456788990:mfa/dudeman
The MFA Device ARN. This value can also be provided
via the environment variable 'MFA_DEVICE'.
--duration DURATION The duration, in seconds, indicating how long the
temporary credentials should be valid. The minimum is
900 seconds (15 minutes) and the maximum is 3600
seconds (1 hour). This value can also be provided via
the environment variable 'MFA_STS_DURATION'.
--profile PROFILE If using profiles, specify the name here. The default
profile name is 'default'
--assume-role arn:aws:iam::123456788990:role/RoleName
The ARN of the AWS IAM Role you would like to assume,
if specified. This value can also be provided via the
environment variable 'MFA_ASSUME_ROLE'
--role-session-name ROLE_SESSION_NAME
Friendly session name required when using --assume-
roleArgument precedence: Command line arguments take precedence over environment variables.
Run aws-mfa before running any of your scripts that use any AWS SDK.
Using command line arguments:
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00Using environment variables:
export MFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
export MFA_STS_DURATION=1800
$> aws-mfa
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00Output of running aws-mfa while credentials are still valid:
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development
INFO - Using profile: development
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):666666
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00