wiki:aws_cli_2fa
Table of Contents
AWS CLI with 2FA
If 2FA is enabled on your AWS account, in order to use aws
cli command from terminal you need to get the fresh credentials. First get the arn:
aws iam list-mfa-devices --user-name meandmyself
Then get the creds:
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
The arn-of-the-mfa-device is from the first command and code-from-token is just the 6-digit code from your 2FA app on your phone or somewhere.
Then copy paste all of the fields in ~/.aws/credentials file, but put it under a different profile since you stil need the non-expiration creds used in commands above.
Example:
antisa@antisa-XPS-13-9310:~$ aws iam list-mfa-devices { "MFADevices": [ { "UserName": "ante", "SerialNumber": "arn:aws:iam::xxxxxxxxxxxx:mfa/meandmyself", "EnableDate": "2024-05-09T11:50:38+00:00" } ] } antisa@antisa-XPS-13-9310:~$ aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxx:mfa/meandmyself --token-code 123456 { "Credentials": { "AccessKeyId": "ASxxxxxxxxxxxx", "SecretAccessKey": "wBxxxxxxxxxxxxxxxxxxxxxxxx", "SessionToken": "IQoJb3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Expiration": "2024-10-16T23:56:17+00:00" } }
The format in ~/.aws/credentials should be like:
[myprofile-session] aws_access_key_id = xxxxxxxxxxxxxxxxxxx aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx aws_session_token = IQoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Here's a bash script that adds the creds each time to the file. Just pass it token-code and add your serial number. Remember to source it e.g.
. ~/.local/bin/aws_get_session.sh 1234
- aws_get_session.sh
#!/bin/bash # run this script with source (.) command since we need access to # the exported AWS_PROFILE variable below in the parent shell e.g. # . ~/.local/bin/aws_get_session.sh 1234 # debug # set -x if [ "${BASH_SOURCE[0]}" -ef "$0" ] then echo "Hey, you should source this script, not execute it!" echo "e.g. '. aws_get_session.sh 1234'" exit 1 fi if [ -z $1 ];then echo "You must provide 2FA token!" return 1 fi # colors On_Yellow='\033[43m' On_White='\033[47m' NC='\033[0m' # No Color echo "Deleting old creds..." sed -i '/\[myprofile-session\]/,+4d' ~/.aws/credentials echo "Creating new creds..." # use existing profile KST=$(AWS_PROFILE=myprofile aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxxxxxx:mfa/meandmyself --token-code "$1") cat << EOF >> ~/.aws/credentials [myprofile-session] aws_access_key_id = $(echo "$KST" | jq '.Credentials.AccessKeyId' | tr -d '"') aws_secret_access_key = $(echo "$KST" | jq '.Credentials.SecretAccessKey' | tr -d '"') aws_session_token = $(echo "$KST" | jq '.Credentials.SessionToken' | tr -d '"') EOF # below export will only work when sourcing this script export AWS_PROFILE=myprofile-session echo -e "Current AWS_PROFILE set to ${On_Yellow}$AWS_PROFILE${NC}"
Tested on
- aws-cli/2.12.5 Python/3.11.4 Linux/6.8.0-45-generic exe/x86_64.ubuntu.22 prompt/off
See also
References
wiki/aws_cli_2fa.txt · Last modified: 2024/10/29 13:58 by antisa