Skip to content
/ aws-mfa-script Public
forked from asagage/aws-mfa-script

Script to fetch an MFA token for you to use temporary aws access credentials

License

Apache-2.0 license
3 stars 89 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

miethe/aws-mfa-script

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SAMPLE-mfa.cfg
SAMPLE-mfa.cfg
 
 
alias.sh
alias.sh
 
 
aws_creds_example
aws_creds_example
 
 
mfa.sh
mfa.sh
 
 

Repository files navigation

aws-mfa-script

Script to fetch an MFA token for you to use temporary aws access credentials.

Tested on MacOS Catalina, should at least also work on Linux devices. Requires oath-toolkit for auto-gen.

The profile name should be the name of the profile stanza in your ~/.aws/credentials file as used by the aws-cli.

The ARN should be the ARN of your MFA device as specified in the AWS console.

The MFA code is the code your MFA device gives you. If you locally save the code used to generate a virtual MFA device (Not the 6-8 digit code, the actual secret key code), you can use the built-in TOTP generator. Just set the location and necessary decryption measures in mfa.sh.

Remember, the env variables set by this script will only persist in that individual terminal session, unless the token file is set in profile. However, the temporary credentials can be found in the set dir within the .token_file, and printed to console. You can always use the following command in a new window:

source ~/aws-mfa-script-master/.token_file

Installation

  1. Extract the files to your home directory ~/aws-mfa-script-master (if elsewhere, make sure you change mfa.sh & alias.sh).
  2. Add source ./alias.sh to your ~/.bashrc (If you aren't already calling rc in profile, make sure you add to .bash_profile/.zprofile)
  3. Create an mfa.cfg file for your profile and ARN. See SAMPLE-mfa.cfg for examples.
  4. Add a profile name and MFA ARN to mfa.cfg for each aws cli profile you wish to use. The key should be the profile name and the value should be the ARN of the MFA to use for that profile.
  5. Create an AWS CLI access key in IAM. Download the .csv and export to your local credentials dir, such as ~/.aws/credentials. See aws_creds_example.
  6. Setup MFA in AWS, save the generation code locally if you wish to use auto-TOTP.

Running the script

At a command prompt run the following command. Using 0 as the mfacode will use the auto-TOTP generator.

mfa <mfacode> <optional-aws-profile> <optional-expiration-seconds>
mfa 123789 default 43200
mfa 0

Alias Note

Scripts run in a subprocess of the calling shell. This means that if you attempt to set the env vars in the script, they will only persist inside that subprocess. The alias.sh script sets an alias function to source the env vars into your main shell whenever you run the mfa command.

About

Script to fetch an MFA token for you to use temporary aws access credentials

Resources

Readme

License

Apache-2.0 license
Activity

Stars

3 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%