项目作者: vadymbat

项目描述 :
AWS Multi-factor authentication CLI helper
高级语言: Python
项目地址: git://github.com/vadymbat/aws-2fa.git
创建时间: 2020-08-01T12:28:13Z
项目社区:https://github.com/vadymbat/aws-2fa

开源协议:MIT License

下载


AWS Multi-factor authentication CLI helper

The aws2fa tool helps to generate temporary MFA authenticated credentials and save the MFA configuration for further usage.

After generating the temporary tokens you can copy-paste it to any Unix server and get temporary access to AWS.

Example:

  1. root@565ee0b2249b:/# aws2fa -p personal_vb_trial
  2. 2020-09-25 19:04:16,955 - INFO - Generating MFA code from MFA token...
  3. 2020-09-25 19:04:16,955 - INFO - Using 'mfa_token' from config file '~/.aws/aws_2fa'...
  4. 2020-09-25 19:04:16,956 - INFO - Using 'mfa_arn' from config file '~/.aws/aws_2fa'...
  5. 2020-09-25 19:04:16,956 - INFO - Using 'session_duration' from cli args...
  6. 2020-09-25 19:04:16,957 - INFO - Using 'role_arn' from config file '~/.aws/aws_2fa'...
  7. 2020-09-25 19:04:16,985 - INFO - Generating assumed role session credentials...
  8. # Copy the commands to cli for using in unix terminal:
  9. export AWS_ACCESS_KEY_ID='ASIAXGY2YZYUTD2PSS'
  10. export AWS_SECRET_ACCESS_KEY='jSUg/[J6SiNcaKVWE]/D/ZEVH7ZU6Yd3psmjkELnmh'
  11. export AWS_SESSION_TOKEN='FwoGZXIvYXdzENX]]]wEaDNzdzVaDp9stmO9HcSK1AV4S5xS2MayC8y+zjmli2JOt0bibeN1GfhnvJkB7hGYqaOc3AIWymYGjqejQ8RHS5oD2mOosJyVnvZwaMkPFtHWrL7vzJrZnowV6kM+EfvzUgTKvhrriHR2T6cA6kwAAIuz/T38X0xts2LaktGjcqbQMpFPaHxvRPpLcLCcHOio/DwRAPxJqoy0TfqvWWvmf6SgmTGuD5TFVyJG61EMacBWiuj/UwEsb32lWEYHdxKYi2iD2j/gosf64+wUyLXpWSax7UvZZAYMA6pbJ88rJ++mTtuZuSuC8nc68S6lNWg=='

Why you should use it

  • The aws2fa is packed in a container so you can use it anywhere where docker is installed
  • Autocomplete is already configured inside the container and it works with AWS profiles
  • The aws2fa can autogenerate the MFA codes instead of retyping them from your MFA device every time.
    Use automatic token generation wisely, it is MUCH LESS SECURE than using MFA codes from your MFA device.
  • It is possible to save the MFA configuration and get the temporary credentials by just calling
    aws2fa -p my_profile or
    aws2fa -p my_profile -mfa_code 231245
  • The aws2fa mounts your $HOME/.aws/credentials file from your host to the container, so you don’t need to rebuild or restart the container if your $HOME/.aws/credentials file was changed
  • All the sensitive data is stored on your host only. it reduces the chance to push sensitive data to the container image

How to install using Docker

  1. clone the repo

    git clone https://github.com/vadymbat/aws-2fa.git

  2. build an image

    cd aws-2fa

    docker build -t aws-2fa .

  3. run a container

    docker run -it --rm --mount type=bind,source=$HOME/.aws,target=/root/.aws aws-2fa

  4. use aws2fa with autocompletion inside the container

The container accesses the original ~/.aws/credentials file from your host. So if you update the file from the container the changes will be applied to the host file and vice versa.

The CLI parameters:

  1. usage: aws2fa [-h] [--profile PROFILE] [--role_arn ROLE_ARN] [--mfa_arn MFA_ARN] [--mfa_token MFA_TOKEN | --mfa_code MFA_CODE]
  2. [--session_duration SESSION_DURATION] [--save] [--quiet]
  3. Generate MFA authenticated AWS credentials for CLI exporting. If you put an MFA base32 token to the '--mfa_token' argument, your MFA code will be autogenerated.
  4. Within the AWS the token is available only when you create a Virtual MFA device for AWS user. Alternatively, you can use your existing Virtual MFA device and
  5. provide the code with the '--mfa_code' parameter. Use '--save' to save your configuration e.g. mfa_arn, role_arn, or mfa_token to '~/.aws/aws_2fa' file, so next
  6. time you need only fill the '--profile' parameter, the rest will be taken from the config file. The CLI arguments have higher priority than the config file.
  7. optional arguments:
  8. -h, --help show this help message and exit
  9. --profile PROFILE, -p PROFILE
  10. AWS profile from '~/.aws/credentials'
  11. --role_arn ROLE_ARN, -r ROLE_ARN
  12. IAM role to assume using provided profile credentials
  13. --mfa_arn MFA_ARN, -ma MFA_ARN
  14. Arn of your AWS Virtual MFA device
  15. --mfa_token MFA_TOKEN, -mt MFA_TOKEN
  16. MFA token to autogenerate your MFA code
  17. --mfa_code MFA_CODE, -mc MFA_CODE
  18. MFA code from your device
  19. --session_duration SESSION_DURATION, -sd SESSION_DURATION
  20. How long your credentials will be valid
  21. --save, -s Save the configuration for that profile to '~/.aws/aws_2fa'
  22. --quiet Do not print info output