aws-iam-login
allows you to login using MFA as the IAM user itself. Once logged in your temporary credentials are
stored in the ~/.aws/credentials
file for re-use.
You will need to configure your roles and IAM User credentials in the same places as you are used to. So in your
~/.aws/credentials
file. To make this process as easy as possible you could use the following command:
aws-iam-login my-profile init
This command will fetch the ARN of the caller identity. Based on this identity we will determin the username
and
mfa_serial
of the IAM User. These will then be stored in the ~/.aws/credentials
file. For example:
[my-profile]
aws_access_key_id = XXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXX
mfa_serial = arn:aws:iam::111122223333:mfa/my-iam-user
username = my-iam-user
The only addition is the username
and mfa_serial
fields.
Assuming you have an IAM User that is already configured you will need the following permissions to use aws-iam-login
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSessionTokeUsingMFA",
"Effect": "Allow",
"Action": [
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowAccessKeyRotation",
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:DeleteAccessKey"
],
"Resource": [
"arn:aws:iam::111122223333:user/${aws:username}"
]
}
]
}
When you want to make use of the MFA authenticated session of a configured profile. You will need to configure the following:
[profile my-role-1]
role_arn = arn:aws:iam::111122223333:role/my-role-1
source_profile = my-profile-sts
region = eu-west-1
Then when you perform your AWS cli calls you can use the AWS_PROFILE=my-role-1
as you are used to. But the first time it will fail. The reason for this is that the my-profile-sts
source profile does not exist (or the credentials are expired).
Perform the following command to login, this command will ask for your MFA Token:
aws-iam-login my-profile
This authenticates against the AWS API and request temporary credentials from AWS using your MFA Token. These credentials are then stored as <profile-name>-sts
.
So the next time you use AWS_PROFILE=my-role-1
the credentials will be present and not expired.
Because you are already authenticated using MFA there is no need to provide an MFA token when you assume the role. When you switch a lot between roles you really benefit from not having to type your MFA token each time you switch.
It is advised to rotate your credentials regularly. aws-iam-login
can help with that! By executing the following command:
aws-iam-login my-profile rotate
This command will execute the following actions:
- List all available keys for the user, when 1 key is active rotation is possible!
- Create a new AccessKey and SecretAccessKey.
- Use the newly created keys to deactivate the old keys.
- Write the new keys to the
~/.aws/configuration
file. - Delete the old keys.