antisaWiki

User Tools

Site Tools

Trace:
wiki:aws_cli_2fa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
wiki:aws_cli_2fa [2024/10/16 12:18] – created antisawiki:aws_cli_2fa [2024/12/29 14:05] (current) – [AWS CLI with 2FA] add aws-vault tool link antisa
Line 13: Line 13:
 The //arn-of-the-mfa-device// is from the first command and //code-from-token// is just the 6-digit code from your 2FA app on your phone or somewhere. The //arn-of-the-mfa-device// is from the first command and //code-from-token// is just the 6-digit code from your 2FA app on your phone or somewhere.
  
-Then copy paste all of the fields in //~/.aws/credentials// file.+Then copy paste all of the fields in //~/.aws/credentials// file, but <wrap hi>put it under a different profile</wrap> since you stil need the non-expiration creds used in commands above.
  
 Example: Example:
Line 44: Line 44:
  
 <code> <code>
-[myprofile]+[myprofile-session]
 aws_access_key_id = xxxxxxxxxxxxxxxxxxx aws_access_key_id = xxxxxxxxxxxxxxxxxxx
 aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Line 51: Line 51:
 </code>  </code> 
  
 +Here's a bash script that adds the creds each time to the file. Just pass it token-code and add your serial number. Remember to source it e.g.
 +  . ~/.local/bin/aws_get_session.sh 1234
 +
 +Or just use [[https://github.com/99designs/aws-vault|this]]
 +
 +<file bash aws_get_session.sh>
 +#!/bin/bash
 +# run this script with source (.) command since we need access to 
 +# the exported AWS_PROFILE variable below in the parent shell e.g.
 +# . ~/.local/bin/aws_get_session.sh 1234
 +
 +# debug
 +# set -x
 +
 +if [ "${BASH_SOURCE[0]}" -ef "$0" ]
 +then
 +      echo "Hey, you should source this script, not execute it!"
 +      echo "e.g. '. aws_get_session.sh 1234'"
 +      exit 1
 +fi
 +
 +if [ -z $1 ];then
 +  echo "You must provide 2FA token!"
 +  return 1
 +fi
 +
 +# colors
 +On_Yellow='\033[43m'
 +On_White='\033[47m'
 +NC='\033[0m' # No Color
 +
 +echo "Deleting old creds..."
 +sed -i '/\[myprofile-session\]/,+4d' ~/.aws/credentials
 +
 +echo "Creating new creds..."
 +# use existing profile
 +KST=$(AWS_PROFILE=myprofile aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxxxxxx:mfa/meandmyself --token-code "$1")
 +cat << EOF >> ~/.aws/credentials
 +[myprofile-session]
 +aws_access_key_id = $(echo "$KST" | jq '.Credentials.AccessKeyId' | tr -d '"')
 +aws_secret_access_key = $(echo "$KST" | jq '.Credentials.SecretAccessKey' | tr -d '"')
 +aws_session_token = $(echo "$KST" | jq '.Credentials.SessionToken' | tr -d '"')
 +
 +EOF
 +
 +# below export will only work when sourcing this script
 +export AWS_PROFILE=myprofile-session
 +echo -e "Current AWS_PROFILE set to ${On_Yellow}$AWS_PROFILE${NC}"
 +
 +</file>
 ====== Tested on ====== ====== Tested on ======
   * aws-cli/2.12.5 Python/3.11.4 Linux/6.8.0-45-generic exe/x86_64.ubuntu.22 prompt/off   * aws-cli/2.12.5 Python/3.11.4 Linux/6.8.0-45-generic exe/x86_64.ubuntu.22 prompt/off
  
 ====== See also ====== ====== See also ======
 +    * [[wiki:aws_cli_commands|aws cli commands]]
 ====== References ====== ====== References ======
   * https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli   * https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli
   * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html   * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  
wiki/aws_cli_2fa.1729081101.txt.gz · Last modified: by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki