Helper script for using MFA with the aws cli. Requires python3.
.. code:: bash
usage: mfa-aws [options]
updates aws credentials file with temporary sts credentials obtained with mfa
optional arguments: -h, --help show this help message and exit -d, --debug Enable debug -c CONFIG_FILE, --config-file CONFIG_FILE config file to load mfa details [~/.aws/mfa-config] -p PROFILE, --profile PROFILE profile to be loaded from the config file [default]
Before
**[~/.aws/credentials]**
^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code:: bash
[default]
aws_access_key_id = ASIADSJFKDSF3242
aws_secret_access_key = FDSFSDKJFd/fdsfSDFSFfDSF4837fdDSFHDKSFsd0D
[other-account-default]
aws_access_key_id = ASIADSGFDDFG3897
aws_secret_access_key = DFGKSJGSDKJGSDKJ4636//43643KJ353KJH/KFDFSDFS/DLKDKSFsd0D
**[~/.aws/mfa-config]**
^^^^^^^^^^^^^^^^^^^^^^^^^
.. code:: bash
[profile default]
mfa_serial = arn:aws:iam::111111111111:mfa/username
dest_profile = default-mfa
[profile other-account]
mfa_serial = arn:aws:iam::999999999999:mfa/username
dest_profile = other-account-mfa
source_profile = other-account-default
Run
~~~
.. code:: bash
MBP-USERNAME:~ username$ mfa-aws
token code for arn:aws:iam::111111111111:mfa/username: 111111
MBP-USERNAME:~ username$
MBP-USERNAME:~ username$ mfa-aws -p other-account
token code for arn:aws:iam::999999999999:mfa/username: 999999
MBP-USERNAME:~ username$
After
~~~~~
.. _awscredentials-1:
**[~/.aws/credentials]**
^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code:: bash
[default]
aws_access_key_id = ASIADSJFKDSF3242
aws_secret_access_key = FDSFSDKJFd/fdsfSDFSFfDSF4837fdDSFHDKSFsd0D
[other-account-default]
aws_access_key_id = ASIADSGFDDFG3897
aws_secret_access_key = DFGKSJGSDKJGSDKJ4636//43643KJ353KJH/KFDFSDFS/DLKDKSFsd0D
[default-mfa]
aws_access_key_id = ASIADSJFKDSF3242
aws_secret_access_key = FDSFSDKJFd/fdsfSDFSFfDSF4837fdDSFHDKSFsd0D
aws_session_token = RIKJSFSAFJAS128753718965/352523//35jfhdssdDSJFKRIKJSFSAFJAS128753718965/352523//35jfhdssdDSJFKRIKJSFSAFJAS128753718965/352523//35jfhdssdDSJFK
[other-account-mfa]
aws_access_key_id = ASIADSGFDDFG3897
aws_secret_access_key = DFGKSJGSDKJGSDKJ4636//43643KJ353KJH/KFDFSDFS/DLKDKSFsd0D
aws_session_token = DFKJSF8732ASFAJKFHFHK324423/rekjAF/33kjfDFJKKJFDDFKJSF8732ASFAJKFHFHK324423/rekjAF/33kjfDFJKKJFDDFKJSF8732ASFAJKFHFHK324423/rekjAF/33kjfDFJKKJFD
Integrations
------------
YubiKey
The TOTP functionality of YubiKey tokens can be integrated on the cli through the ykman cli utility. Just specify the yubikey_credential_name in the mfa-config profile.
.. code:: bash
[profile yubikey-account] mfa_serial = arn:aws:iam::999999999999:mfa/jamie yubikey_credential_name = AWS:jamie@yubikey-account dest_profile = yubikey-account-mfa source_profile = yubikey-account-default
yubikey_credential_name is of the form Issuer:AccountName and can be viewed with the following ykman command.
.. code:: bash
ykman oath list
FAQs
MFA helper script for AWS
We found that mfa-aws demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.Ā It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious PyPI checkers validate stolen emails against TikTok and Instagram APIs, enabling targeted account attacks and dark web credential sales.
Security News
The Node.js TSC opted not to endorse a feature bounty program, citing concerns about incentives, governance, and project neutrality.
Research
Security News
A look at the top trends in how threat actors are weaponizing open source packages to deliver malware and persist across the software supply chain.