{{tag>aws cli 2fa mfa terminal}}

====== AWS CLI with 2FA ======
If 2FA is enabled on your AWS account, in order to use ''aws'' cli command from terminal you need to get the fresh credentials. First get the arn:

  aws iam list-mfa-devices --user-name meandmyself

Then get the creds:

  aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token


The //arn-of-the-mfa-device// is from the first command and //code-from-token// is just the 6-digit code from your 2FA app on your phone or somewhere.

Then copy paste all of the fields in //~/.aws/credentials// file, but <wrap hi>put it under a different profile</wrap> since you stil need the non-expiration creds used in commands above.

Example:

<code>
antisa@antisa-XPS-13-9310:~$ aws iam list-mfa-devices
{
    "MFADevices": [
        {
            "UserName": "ante",
            "SerialNumber": "arn:aws:iam::xxxxxxxxxxxx:mfa/meandmyself",
            "EnableDate": "2024-05-09T11:50:38+00:00"
        }
    ]
}

antisa@antisa-XPS-13-9310:~$ aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxx:mfa/meandmyself --token-code 123456
{
    "Credentials": {
        "AccessKeyId": "ASxxxxxxxxxxxx",
        "SecretAccessKey": "wBxxxxxxxxxxxxxxxxxxxxxxxx",
        "SessionToken": "IQoJb3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "Expiration": "2024-10-16T23:56:17+00:00"
    }
}

</code> 

The format in //~/.aws/credentials// should be like:

<code>
[myprofile-session]
aws_access_key_id = xxxxxxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws_session_token = IQoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

</code> 

Here's a bash script that adds the creds each time to the file. Just pass it token-code and add your serial number. Remember to source it e.g.
  . ~/.local/bin/aws_get_session.sh 1234

Or just use [[https://github.com/99designs/aws-vault|this]]

<file bash aws_get_session.sh>
#!/bin/bash
# run this script with source (.) command since we need access to 
# the exported AWS_PROFILE variable below in the parent shell e.g.
# . ~/.local/bin/aws_get_session.sh 1234

# debug
# set -x

if [ "${BASH_SOURCE[0]}" -ef "$0" ]
then
      echo "Hey, you should source this script, not execute it!"
      echo "e.g. '. aws_get_session.sh 1234'"
      exit 1
fi

if [ -z $1 ];then
  echo "You must provide 2FA token!"
  return 1
fi

# colors
On_Yellow='\033[43m'
On_White='\033[47m'
NC='\033[0m' # No Color

echo "Deleting old creds..."
sed -i '/\[myprofile-session\]/,+4d' ~/.aws/credentials

echo "Creating new creds..."
# use existing profile
KST=$(AWS_PROFILE=myprofile aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxxxxxx:mfa/meandmyself --token-code "$1")
cat << EOF >> ~/.aws/credentials
[myprofile-session]
aws_access_key_id = $(echo "$KST" | jq '.Credentials.AccessKeyId' | tr -d '"')
aws_secret_access_key = $(echo "$KST" | jq '.Credentials.SecretAccessKey' | tr -d '"')
aws_session_token = $(echo "$KST" | jq '.Credentials.SessionToken' | tr -d '"')

EOF

# below export will only work when sourcing this script
export AWS_PROFILE=myprofile-session
echo -e "Current AWS_PROFILE set to ${On_Yellow}$AWS_PROFILE${NC}"

</file>
====== Tested on ======
  * aws-cli/2.12.5 Python/3.11.4 Linux/6.8.0-45-generic exe/x86_64.ubuntu.22 prompt/off

====== See also ======
    * [[wiki:aws_cli_commands|aws cli commands]]
====== References ======
  * https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli
  * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html