AWS CLI MFA Login

One of the basic but crucial things to secure cloud account(s) is to enable MFA on your accounts. Apart from instance keys, leaked IAM credentials are also a huge contributer to the various breaches we keep hearing about.

Enabling MFA for all your users by default is a great first step. This also means restircting access to services for non-MFA authenticated users. But this can cause some discomfort.

The Problem

The issue arrises mainly for aws cli use. Due to the restricted policy, regular secret key & access key don’t work. A new temporary credential needs to be requested everytime you want to work with the aws cli.

How can we address this issue?

The Solution(s)

The basics

Assuming you already have a default named profile setup like so,

[default]
aws_access_key_id=SOMETHING
aws_secret_access_key=SOMEKEY
region=us-east-1

You can use this command to get the temporary credentials for use

aws sts get-session-token --duration-seconds 900 \
    --serial-number arn:aws:iam::aws_account_id:mfa/iam_user \
    --profile=default --token-code=mfa_token

{
    "Credentials": {
        "SecretAccessKey": "secret_key",
        "SessionToken": "temporary_token",
        "Expiration": "expiration_datetime",
        "AccessKeyId": "access_key"
    }
}

Now you can either export this as environment variable or create a new named profile to use aws cli. But that’s a lot of work, right? 😒

A shortcut

Fret not, we will reduce a few steps.

The above commands and steps can easily be packaged into a script. I have added such a script here but some groundwork is needed for initial setup.

1. Identify a backup directory like /home/users/iam_user/backup
2. Install jq and append it’s location to PATH for the script to use
3. Download the script under /tmp and update the variables as per your envrionment

   # This is your home directory on the local system
   home="/home/users/iam_user" 
   
   # temporary path the script will use
   base="/tmp"       
   
   # validity of the token, this is the max (36 hours)          
   validity="129600"       
   
   # aws account id    
   account="123456890"     
   
   # your iam user on aws account    
   iam_user="iam_user"        

Once done, for subsequent runs, only the following steps are needed.

1. Generate a new token by running the script and providing the MFA token as the first and only argument

   sh login.sh 123456

   Response

   export AWS_PROFILE=mfa

2. Run the above output (export AWS_PROFILE=mfa) on the terminal, and start using the new profile!

Feeling lazy

Switching to a directory, typing out the script name is still too much work! 😒

Let’s reduce some more steps.

1. Add this to your .bash_profile

   echo "export AWS_PROFILE=mfa" >> ~/.bash_profile

2. Add an alias to your .bash_profile. Now you can run it from anywhere on the system

   echo "alias awsmfalogin='sh /tmp/login.sh'" >> ~/.bash_profile

3. Simply invoke the script as below, and start using the aws-cli

   awsmfalogin 123456 

You are now authenticated and authorized in ONE command! 👏

Conclusion

MFA is a necessary precaution to keep cloud accounts secure, but it also introduces some additional steps every few hours during the work day. Hopefully, this quick snippet will help reclaim some of that time 👍

1. Authenticate Mfa Cli