发表新帖
发表新帖

How to use MFA with AWS CLI?

前端 未结
关注
13 1186
太阳男子
太阳男子 2020-12-05 00:05

How do I type in the MFA code when using the AWS CLI? I have checked the documentation page of IAM http://docs.aws.amazon.com/cli/latest/reference/iam/index.html.

I

相关标签:
13条回答
  • 挽巷
    2020-12-05 00:40

    AWS MFA use on the command line can be rather unpleasant and cumbersome, especially if you have multiple profiles and roles.

    I have released awscli-mfa.sh script that makes MFA/role session management on the command line a lot easier. A companion script enable-disable-vmfa-device.sh similarly makes it easy to enable or disable a virtual MFA device on an IAM user account.

    awscli-mfa.sh persists a started session in ~/.aws/credentials (with some info in ~/.aws/config), or allows you to start an in-env session only so that its details don't get persisted. When executed in Windows Subsystem for Linux, the script also provides session activation strings for PowerShell and Windows command line. However, the script itself only runs in bash (written for macOS, Linux, and WSL bash with Ubuntu).

    You can find the scripts and the example MFA policies in my GitHub repo at https://github.com/vwal/awscli-mfa

    0 讨论(0)
  • 无人及你
    2020-12-05 00:41

    Step-by-step manual solution:

    1. Request a session token with MFA
    aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

    arn-of-the-mfa-device: visible from your user IAM

    • Option: Use CLI to retrieve: aws iam list-mfa-devices --user-name ryan
    • Option: View in IAM console: IAM --> Users --> --> Security Credentials

    code-from-token: 6 digit code from your configured MFA device

    1. Create a profile with the returned credentials
    aws configure --profile cli

aws configure set --profile mfa aws_session_token <SESSION_TOKEN_HERE>

    aws_session_token is not included in aws configure

    1. Test command
    aws s3 ls --profile cli
    0 讨论(0)
  • 遥遥无期
    2020-12-05 00:45

    aws-mfa acts as a wrapper around sts and works really well: https://github.com/broamski/aws-mfa

    0 讨论(0)
  • [愿得一人]
    2020-12-05 00:45

    I wrote a small bash script to get over this annoying problem. You can find it here: https://gist.github.com/geekgunda/db4c9c8d850c08a48d1d60f119628032

    Assumptions:

    1. Your original AWS Creds should be stored at ~/.aws/credentials
    2. You've corrected ARN for MFA device (search for FIXME)
    3. You've given correct MFA Code as cli argument
    4. You have jq installed. Ref: https://stedolan.github.io/jq/
    0 讨论(0)
  • 有刺的猬
    2020-12-05 00:48

    On Windows

    I'm on windows and I created a batch file to pass in my MFA code and have it automatically set up my credentials. First, you need to set up your production credentials in AWS:

    aws configure --profile prod

    Answer the questions appropriately with your key and secret. Then, I run my script like this:

    C:\> mfa-getCreds.bat 229168

Your credentials are set up, and will expire on 2019-05-12T04:04:13Z

Now you should be able to run aws commands like this: aws s3 ls

    Here are the contents of my mfa-getCreds.bat:

    @echo off

set TOKEN=%1
if not defined TOKEN goto showUsage   

@call aws sts get-session-token --profile prod --serial-number "arn:aws:iam::109627855994:mfa/ryan.shillington" --token-code %* > c:\temp\mfa-getCreds.json

FOR /F "tokens=* USEBACKQ" %%g IN (`jq -r ".Credentials.AccessKeyId" c:\temp\mfa-getCreds.json`) do (SET AWS_ACCESS_KEY=%%g)
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SecretAccessKey" c:\temp\mfa-getCreds.json') do (SET "AWS_SECRET_KEY=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.SessionToken" c:\temp\mfa-getCreds.json') do (SET "AWS_SESSION_TOKEN=%%g")
FOR /F "tokens=*" %%g IN ('jq -r ".Credentials.Expiration" c:\temp\mfa-getCreds.json') do (SET "EXPIRATION=%%g")

set AWS_ACCESS_KEY_ID=%AWS_ACCESS_KEY%
set "AWS_SECRET_ACCESS_KEY=%AWS_SECRET_KEY%"

echo.
echo Your credentials are set up, but will expire on %EXPIRATION%
echo.
echo Now you should be able to run aws commands like this: aws s3 ls

goto :EOF

:showUsage
echo Usage: %0 [MFA Token]
goto :EOF

    For this to run, you'll need the excellent jq package in your path.

    0 讨论(0)
  • 臣服心动
    2020-12-05 00:52

    I have forked Chinmay's gist and updated it to pull the device serial from aws instead of hardcoding it. I have also updated the exits to return a status of 1 instead of just exiting.

    Available here: https://gist.github.com/jpribyl/e44021ae5cbf7fd1b4549598e85b5341

    I am using it in deploy scripts like this (I renamed the script to awsMfaCli.sh):

    . awsMfaCli.sh
script_status=$?

if [[ $script_status -ne 1 ]]; then
    echo "Building production"
    if npm run build ; then
       echo "Build Successful"
    else
      echo "Error building, exiting.."
      return 1
    fi


    echo "Removing all files on bucket.."
    aws s3 rm --recursive s3://mybucket

    echo "Uploading site.."
    aws s3 sync build/ s3://mybucket
    echo "S3 Upload complete.."
    echo "Deployment complete."
else
    return 1
fi
    0 讨论(0)
 看不清?
提交回复
热议问题