AWS Multi-factor authentication CLI helper
The aws2fa tool helps to generate temporary MFA authenticated credentials and save the MFA configuration for further usage.
After generating the temporary tokens you can copy-paste it to any Unix server and get temporary access to AWS.
Example:
root@565ee0b2249b:/# aws2fa -p personal_vb_trial
2020-09-25 19:04:16,955 - INFO - Generating MFA code from MFA token...
2020-09-25 19:04:16,955 - INFO - Using 'mfa_token' from config file '~/.aws/aws_2fa'...
2020-09-25 19:04:16,956 - INFO - Using 'mfa_arn' from config file '~/.aws/aws_2fa'...
2020-09-25 19:04:16,956 - INFO - Using 'session_duration' from cli args...
2020-09-25 19:04:16,957 - INFO - Using 'role_arn' from config file '~/.aws/aws_2fa'...
2020-09-25 19:04:16,985 - INFO - Generating assumed role session credentials...
# Copy the commands to cli for using in unix terminal:
export AWS_ACCESS_KEY_ID='ASIAXGY2YZYUTD2PSS'
export AWS_SECRET_ACCESS_KEY='jSUg/[J6SiNcaKVWE]/D/ZEVH7ZU6Yd3psmjkELnmh'
export AWS_SESSION_TOKEN='FwoGZXIvYXdzENX]]]wEaDNzdzVaDp9stmO9HcSK1AV4S5xS2MayC8y+zjmli2JOt0bibeN1GfhnvJkB7hGYqaOc3AIWymYGjqejQ8RHS5oD2mOosJyVnvZwaMkPFtHWrL7vzJrZnowV6kM+EfvzUgTKvhrriHR2T6cA6kwAAIuz/T38X0xts2LaktGjcqbQMpFPaHxvRPpLcLCcHOio/DwRAPxJqoy0TfqvWWvmf6SgmTGuD5TFVyJG61EMacBWiuj/UwEsb32lWEYHdxKYi2iD2j/gosf64+wUyLXpWSax7UvZZAYMA6pbJ88rJ++mTtuZuSuC8nc68S6lNWg=='
aws2fa
is packed in a container so you can use it anywhere where docker is installedaws2fa
can autogenerate the MFA codes instead of retyping them from your MFA device every time.aws2fa -p my_profile
oraws2fa -p my_profile -mfa_code 231245
aws2fa
mounts your $HOME/.aws/credentials file from your host to the container, so you don’t need to rebuild or restart the container if your $HOME/.aws/credentials file was changed clone the repo
git clone https://github.com/vadymbat/aws-2fa.git
build an image
cd aws-2fa
docker build -t aws-2fa .
run a container
docker run -it --rm --mount type=bind,source=$HOME/.aws,target=/root/.aws aws-2fa
aws2fa
with autocompletion inside the containerThe container accesses the original ~/.aws/credentials
file from your host. So if you update the file from the container the changes will be applied to the host file and vice versa.
The CLI parameters:
usage: aws2fa [-h] [--profile PROFILE] [--role_arn ROLE_ARN] [--mfa_arn MFA_ARN] [--mfa_token MFA_TOKEN | --mfa_code MFA_CODE]
[--session_duration SESSION_DURATION] [--save] [--quiet]
Generate MFA authenticated AWS credentials for CLI exporting. If you put an MFA base32 token to the '--mfa_token' argument, your MFA code will be autogenerated.
Within the AWS the token is available only when you create a Virtual MFA device for AWS user. Alternatively, you can use your existing Virtual MFA device and
provide the code with the '--mfa_code' parameter. Use '--save' to save your configuration e.g. mfa_arn, role_arn, or mfa_token to '~/.aws/aws_2fa' file, so next
time you need only fill the '--profile' parameter, the rest will be taken from the config file. The CLI arguments have higher priority than the config file.
optional arguments:
-h, --help show this help message and exit
--profile PROFILE, -p PROFILE
AWS profile from '~/.aws/credentials'
--role_arn ROLE_ARN, -r ROLE_ARN
IAM role to assume using provided profile credentials
--mfa_arn MFA_ARN, -ma MFA_ARN
Arn of your AWS Virtual MFA device
--mfa_token MFA_TOKEN, -mt MFA_TOKEN
MFA token to autogenerate your MFA code
--mfa_code MFA_CODE, -mc MFA_CODE
MFA code from your device
--session_duration SESSION_DURATION, -sd SESSION_DURATION
How long your credentials will be valid
--save, -s Save the configuration for that profile to '~/.aws/aws_2fa'
--quiet Do not print info output