User Tools

Site Tools


wiki:aws_cli_2fa

AWS CLI with 2FA

If 2FA is enabled on your AWS account, in order to use aws cli command from terminal you need to get the fresh credentials. First get the arn:

aws iam list-mfa-devices --user-name meandmyself

Then get the creds:

aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

The arn-of-the-mfa-device is from the first command and code-from-token is just the 6-digit code from your 2FA app on your phone or somewhere.

Then copy paste all of the fields in ~/.aws/credentials file, but put it under a different profile since you stil need the non-expiration creds used in commands above.

Example:

antisa@antisa-XPS-13-9310:~$ aws iam list-mfa-devices
{
    "MFADevices": [
        {
            "UserName": "ante",
            "SerialNumber": "arn:aws:iam::xxxxxxxxxxxx:mfa/meandmyself",
            "EnableDate": "2024-05-09T11:50:38+00:00"
        }
    ]
}

antisa@antisa-XPS-13-9310:~$ aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxx:mfa/meandmyself --token-code 123456
{
    "Credentials": {
        "AccessKeyId": "ASxxxxxxxxxxxx",
        "SecretAccessKey": "wBxxxxxxxxxxxxxxxxxxxxxxxx",
        "SessionToken": "IQoJb3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "Expiration": "2024-10-16T23:56:17+00:00"
    }
}

The format in ~/.aws/credentials should be like:

[myprofile-session]
aws_access_key_id = xxxxxxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws_session_token = IQoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here's a bash script that adds the creds each time to the file. Just pass it token-code and add your serial number. Remember to source it e.g.

. ~/.local/bin/aws_get_session.sh 1234
aws_get_session.sh
#!/bin/bash
# run this script with source (.) command since we need access to 
# the exported AWS_PROFILE variable below in the parent shell e.g.
# . ~/.local/bin/aws_get_session.sh 1234
 
# debug
# set -x
 
if [ "${BASH_SOURCE[0]}" -ef "$0" ]
then
      echo "Hey, you should source this script, not execute it!"
      echo "e.g. '. aws_get_session.sh 1234'"
      exit 1
fi
 
if [ -z $1 ];then
  echo "You must provide 2FA token!"
  return 1
fi
 
# colors
On_Yellow='\033[43m'
On_White='\033[47m'
NC='\033[0m' # No Color
 
echo "Deleting old creds..."
sed -i '/\[myprofile-session\]/,+4d' ~/.aws/credentials
 
echo "Creating new creds..."
# use existing profile
KST=$(AWS_PROFILE=myprofile aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxxxxxx:mfa/meandmyself --token-code "$1")
cat << EOF >> ~/.aws/credentials
[myprofile-session]
aws_access_key_id = $(echo "$KST" | jq '.Credentials.AccessKeyId' | tr -d '"')
aws_secret_access_key = $(echo "$KST" | jq '.Credentials.SecretAccessKey' | tr -d '"')
aws_session_token = $(echo "$KST" | jq '.Credentials.SessionToken' | tr -d '"')
 
EOF
 
# below export will only work when sourcing this script
export AWS_PROFILE=myprofile-session
echo -e "Current AWS_PROFILE set to ${On_Yellow}$AWS_PROFILE${NC}"

Tested on

  • aws-cli/2.12.5 Python/3.11.4 Linux/6.8.0-45-generic exe/x86_64.ubuntu.22 prompt/off

See also

References

wiki/aws_cli_2fa.txt · Last modified: 2024/10/29 13:58 by antisa

Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki