Using aws CLI, on mfa enabled environments
The need
If you have worked for a while with aws cli client, or with other AWS products or libraries you may have come across a situation where MFA(multi-factor authentication) was enabled on the console access keys due to a enforced security policy, and you had to authenticate against aws using a MFA device/application.
Implementation
In this particular case, we are going to use one or more AWS accounts.
In order to use the aws cli, on aws accounts that have MFA enabled, you will have to manually authenticate against aws, or use some tool to automate the mfa login process. The tool we are going to use is aws-mfa-login. More details here: https://pypi.org/project/aws-mfa-login/ You will need to install it using python pip:
$pip install aws-mfa-login
$ aws-mfa-login --help
usage: aws-mfa-login [-h] [--token TOKEN]
[--profile PROFILE | --serial SERIAL] [--fish | --bash]
optional arguments:
-h, --help show this help message and exit
--token TOKEN MFA token to use for login
--profile PROFILE AWS Profile to read MFA Serial from
--serial SERIAL MFA device serial (e.g.
arn:aws:iam::00000000000:mfa/myiamuser)
--fish Override shell guessing, set to fish (use "set -e")
--bash Override shell guessing, set to bash (use "unset")After the mfa tool is installed, you must make sure that you have the aws cli tools installed. You can find more details on how to do that here: https://aws.amazon.com/cli/
AWS profiles will have to be set-up in your home directory .aws/ so you can use the mfa login tool.
1) Create a file named config, containing the profile definitions. Details in the snippet below. Please make sure
to replace the username after XXXXXX:mfa/, and the account number if you need another account. The example below is
configured for the account1 account. If you need a new account copy the [profile] and create a new one, replacing the region, output, and mfa_serial contents.
[profile default]
region = eu-west-1
output = json
[profile account1]
region = us-west-2
output = json
mfa_serial = arn:aws:iam::927526524062:mfa/username2) Create a new file named credentials, and add your key_id and access secrets. Keep in mind that you will have to keep the naming convention from the config file you created earlier.
[default]
aws_access_key_id = AKIAXXXXXXXXXXXXXXXX
aws_secret_access_key = 4JFI8XXXXXXXXXXXXXXXXXXX
[account1]
aws_access_key_id = AKIDRXXXXXXXXXXXXXXX
aws_secret_access_key=7DFJ5XXXXXXXXXXXXXXXXXXXXX3) After the files are configured correctly, you can use the aws-mfa-utility, to generate your new environment
variables.
Example usage:
$aws-mfa-login --profile account1
MFA token: 123456
export AWS_ACCESS_KEY_ID=AKIAXXXXXXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=7DFJ5XXXXXXXXXXXXXXXXXXXXX
export AWS_SESSION_TOKEN=FQodyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAfter you execute the command you will be asked for your mfa token, which you will get from your mfa device.
Given your attempt was successful, you will be given a number of aws environment variables, which you will have to set as your local environment variables, by simply pasting the output to your console.
A short test to see if everything worked fine can be done by listing s3 buckets in your account:
$aws s3 ls
If you are using multiple accounts in multiple regions, you may encounter issues with your default region, and you may need to set it manually. The region can be manually set like this:
$export AWS_DEFAULT_REGION="us-west-2"
Final thoughts
The AWS CLI can be a useful and powerful tool in your work with amazon web services, but sometimes using it in a mfa enabled environment(due to security policies) can be a pain. Aws-mfa-login tool is a great addition to your arsenal, making your work, authenticating against aws a whole lot easier.
Jul 27, 2023
4 min Read
