Using aws CLI, on mfa enabled environments
January 14, 2019
If you have worked for a while with aws cli client, or with other AWS products or libraries you may have come across a situation where MFA(multi-factor authentication) was enabled on the console access keys due to a enforced security policy, and you had to authenticate against aws using a MFA device/application.
In this particular case, we are going to use one or more AWS accounts.
In order to use the aws cli, on aws accounts that have MFA enabled, you will have to manually authenticate against aws, or use some tool to automate the mfa login process. The tool we are going to use is aws-mfa-login. More details here: https://pypi.org/project/aws-mfa-login/ You will need to install it using python pip:
$pip install aws-mfa-login
$ aws-mfa-login --help usage: aws-mfa-login [-h] [--token TOKEN] [--profile PROFILE | --serial SERIAL] [--fish | --bash] optional arguments: -h, --help show this help message and exit --token TOKEN MFA token to use for login --profile PROFILE AWS Profile to read MFA Serial from --serial SERIAL MFA device serial (e.g. arn:aws:iam::00000000000:mfa/myiamuser) --fish Override shell guessing, set to fish (use "set -e") --bash Override shell guessing, set to bash (use "unset")
After the mfa tool is installed, you must make sure that you have the aws cli tools installed. You can find more details on how to do that here: https://aws.amazon.com/cli/
AWS profiles will have to be set-up in your home directory
.aws/ so you can use the mfa login tool.
1) Create a file named config, containing the profile definitions. Details in the snippet below. Please make sure
to replace the username after
XXXXXX:mfa/, and the account number if you need another account. The example below is
configured for the account1 account. If you need a new account copy the [profile] and create a new one, replacing the region, output, and mfa_serial contents.
[profile default] region = eu-west-1 output = json [profile account1] region = us-west-2 output = json mfa_serial = arn:aws:iam::927526524062:mfa/username
2) Create a new file named credentials, and add your key_id and access secrets. Keep in mind that you will have to keep the naming convention from the config file you created earlier.
[default] aws_access_key_id = AKIAXXXXXXXXXXXXXXXX aws_secret_access_key = 4JFI8XXXXXXXXXXXXXXXXXXX [account1] aws_access_key_id = AKIDRXXXXXXXXXXXXXXX aws_secret_access_key=7DFJ5XXXXXXXXXXXXXXXXXXXXX
3) After the files are configured correctly, you can use the
aws-mfa-utility, to generate your new environment
$aws-mfa-login --profile account1 MFA token: 123456 export AWS_ACCESS_KEY_ID=AKIAXXXXXXXXXXXXXXXX export AWS_SECRET_ACCESS_KEY=7DFJ5XXXXXXXXXXXXXXXXXXXXX export AWS_SESSION_TOKEN=FQodyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
After you execute the command you will be asked for your mfa token, which you will get from your mfa device.
Given your attempt was successful, you will be given a number of aws environment variables, which you will have to set as your local environment variables, by simply pasting the output to your console.
A short test to see if everything worked fine can be done by listing s3 buckets in your account:
$aws s3 ls
If you are using multiple accounts in multiple regions, you may encounter issues with your default region, and you may need to set it manually. The region can be manually set like this:
The AWS CLI can be a useful and powerful tool in your work with amazon web services, but sometimes using it in a mfa enabled environment(due to security policies) can be a pain. Aws-mfa-login tool is a great addition to your arsenal, making your work, authenticating against aws a whole lot easier.