Using aws CLI, on mfa enabled environments

January 14, 2019
3 min Read

The need

If you have worked for a while with aws cli client, or with other AWS products or libraries you may have come across a situation where MFA(multi-factor authentication) was enabled on the console access keys due to a enforced security policy, and you had to authenticate against aws using a MFA device/application.



In this particular case, we are going to use one or more AWS accounts.

In order to use the aws cli, on aws accounts that have MFA enabled, you will have to manually authenticate against aws, or use some tool to automate the mfa login process. The tool we are going to use is aws-mfa-login. More details here: You will need to install it using python pip:

$pip install aws-mfa-login

$ aws-mfa-login --help
usage: aws-mfa-login [-h] [--token TOKEN]
                    [--profile PROFILE | --serial SERIAL] [--fish | --bash]

optional arguments:
  -h, --help     	show this help message and exit
  --token TOKEN  	MFA token to use for login
  --profile PROFILE  AWS Profile to read MFA Serial from
  --serial SERIAL	MFA device serial (e.g.
  --fish         	Override shell guessing, set to fish (use "set -e")
  --bash         	Override shell guessing, set to bash (use "unset")

After the mfa tool is installed, you must make sure that you have the aws cli tools installed. You can find more details on how to do that here:

AWS profiles will have to be set-up in your home directory .aws/ so you can use the mfa login tool.

1) Create a file named config, containing the profile definitions. Details in the snippet below. Please make sure to replace the username after XXXXXX:mfa/, and the account number if you need another account. The example below is configured for the account1 account. If you need a new account copy the [profile] and create a new one, replacing the region, output, and mfa_serial contents.

[profile default]
region = eu-west-1
output = json

[profile account1]
region = us-west-2
output = json
mfa_serial = arn:aws:iam::927526524062:mfa/username

2) Create a new file named credentials, and add your key_id and access secrets. Keep in mind that you will have to keep the naming convention from the config file you created earlier.

aws_access_key_id = AKIAXXXXXXXXXXXXXXXX
aws_secret_access_key = 4JFI8XXXXXXXXXXXXXXXXXXX

aws_access_key_id = AKIDRXXXXXXXXXXXXXXX

3) After the files are configured correctly, you can use the aws-mfa-utility, to generate your new environment variables.

Example usage:

$aws-mfa-login --profile account1
MFA token: 123456

After you execute the command you will be asked for your mfa token, which you will get from your mfa device.
Given your attempt was successful, you will be given a number of aws environment variables, which you will have to set as your local environment variables, by simply pasting the output to your console.

A short test to see if everything worked fine can be done by listing s3 buckets in your account:

$aws s3 ls

If you are using multiple accounts in multiple regions, you may encounter issues with your default region, and you may need to set it manually. The region can be manually set like this:

$export AWS_DEFAULT_REGION="us-west-2"

Final thoughts

The AWS CLI can be a useful and powerful tool in your work with amazon web services, but sometimes using it in a mfa enabled environment(due to security policies) can be a pain. Aws-mfa-login tool is a great addition to your arsenal, making your work, authenticating against aws a whole lot easier.

Featured Articles.