Introduction

One of the basic but crucial things to secure cloud account(s) is to enable MFA on your accounts. Apart from instance keys, leaked IAM credentials are also a huge contributer to the various breaches we keep hearing about.

Enabling MFA for all your users by default is a great first step. This also means restircting access to services for non-MFA authenticated users. But this can cause some discomfort.

Problem

The issue arrises mainly for aws cli use. Due to the restricted policy, regular secret key & access key don’t work. A new temporary credential needs to be requested everytime you want to work with the aws cli.

How can we address this issue?

Solution(s)

Basics

Assuming you already have a default named profile setup like so,

1[default]
2aws_access_key_id=SOMETHING
3aws_secret_access_key=SOMEKEY
4region=us-east-1

You can use this command to get the temporary credentials for use

1aws sts get-session-token --duration-seconds 900 \
2    --serial-number arn:aws:iam::aws_account_id:mfa/iam_user \
3    --profile=default --token-code=mfa_token

Response

1{
2    "Credentials": {
3        "SecretAccessKey": "secret_key",
4        "SessionToken": "temporary_token",
5        "Expiration": "expiration_datetime",
6        "AccessKeyId": "access_key"
7    }
8}

Now you can either export this as environment variable or create a new named profile to use aws cli. But that’s a lot of work, right? 😒

A Shortcut

Fret not, we will reduce a few steps.

The above commands and steps can easily be packaged into a script. I have added such a script here but some groundwork is needed for initial setup.

  1. Identify a backup directory like /home/users/iam_user/backup
  2. Install jq and append it’s location to PATH for the script to use
  3. Download the script under /tmp and update the variables as per your envrionment
     1# This is your home directory on the local system
 2home="/home/users/iam_user" 
 3
 4# temporary path the script will use
 5base="/tmp"       
 6
 7# validity of the token, this is the max (36 hours)          
 8validity="129600"       
 9
10# aws account id    
11account="123456890"     
12
13# your iam user on aws account    
14iam_user="iam_user"

Once done, for subsequent runs, only the following steps are needed.

  1. Generate a new token by running the script and providing the MFA token as the first and only argument

    1sh login.sh 123456

    Response

    1export AWS_PROFILE=mfa

  2. Run the above output (export AWS_PROFILE=mfa) on the terminal, and start using the new profile!

I am feeling lazy!

Switching to a directory, typing out the script name is still too much work! 😒

Let’s reduce some more steps.

  1. Add this to your .bash_profile
    1echo "export AWS_PROFILE=mfa" >> ~/.bash_profile
  2. Add an alias to your .bash_profile. Now you can run it from anywhere on the system
    1echo "alias awsmfalogin='sh /tmp/login.sh'" >> ~/.bash_profile
  3. Simply invoke the script as below, and start using the aws-cli
    1awsmfalogin 123456

You are now authenticated and authorized in ONE command! 👏

Conclusion

MFA is a necessary precaution to keep cloud accounts secure, but it also introduces some additional steps every few hours during the work day. Hopefully, this quick snippet will help reclaim some of that time 👍

Note:  Code mentioned above is here 

References (1)

  1. Authenticate Mfa Cli