aws-mfa: Easily manage your AWS Security Credentials when using Multi-Factor Authentication (MFA)
aws-mfa makes it easy to manage your AWS SDK Security Credentials when Multi-Factor Authentication (MFA) is enforced on your AWS account. It automates the process of obtaining temporary credentials from the AWS Security Token Service and updating your AWS Credentials file (located at ~/.aws/credentials). Traditional methods of managing MFA-based credentials requires users to write their own bespoke scripts/wrappers to fetch temporary credentials from STS and often times manually update their AWS credentials file.
The concept behind aws-mfa is that there are 2 types of credentials:
long-term- Your typcial AWS access keys, consisting of anAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYshort-term- A temporary set of credentials that are generated by AWS STS using yourlong-termcredentials in combination with your MFA device serial number (either a hardware device serial number or virtual device ARN) and one time token code. Your short term credentials are the credentials that are actively utilized by the AWS SDK in use.
If you haven't yet enabled multi-factor authentication for AWS API access, check out the AWS article on doing so.
Installation:
Option 1
$ pip install aws-mfa
Option 2
1. Clone this repo
2. $ python setup.py install
Credentials File Setup
In a typical AWS credentials file (located at ~/.aws/credentials), credentials are stored in sections, denoted by a pair of brackets: []. The [default] section stores your default credentials. You can store multiple sets of credentials using different profile names. If no profile is specified, the [default] section is always used.
By default long term credential sections are identified by the convention [<profile_name>-long-term] and short term credentials are identified by the typical convention: [<profile_name>]. The following illustrates how you would configure you credentials file using aws-mfa with your default credentials:
[default-long-term]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
After running aws-mfa, your credentials file would read:
[default-long-term]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
[default]
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>
Similarly, if you utilize a credentials profile named development, your credentials file would look like:
[development-long-term]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
After running aws-mfa, your credentials file would read:
[development-long-term]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
[development]
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>
The default naming convention for the credential section can be overriden by using the --long-term-suffix and--short-term-suffix command line arguments. For example, in a multi account scenario you can have one AWS accountthat manages the IAM users for your organization and have other AWS accounts for development, staging and productionenvironments.
After running aws-mfa once for each environment with a different value for --short-term-suffix, your credentialsfile would read:
[myorganization-long-term]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
[myorganization-development]
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>
[myorganization-staging]
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>
[myorganization-production]
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>
This allows you to access multiple environments without the need to run aws-mfa each time you want to switchenvironments.
If you don't like the a long term suffix, you can omit it by passing the value none for the --long-term-suffixcommand line argument. After running aws-mfa once for each environment with a different value for--short-term-suffix, your credentials file would read:
[myorganization]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
[myorganization-development]
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>
[myorganization-staging]
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>
[myorganization-production]
aws_access_key_id = <POPULATED_BY_AWS-MFA>
aws_secret_access_key = <POPULATED_BY_AWS-MFA>
aws_security_token = <POPULATED_BY_AWS-MFA>
Usage
--device arn:aws:iam::123456788990:mfa/dudeman
The MFA Device ARN. This value can also be provided
via the environment variable 'MFA_DEVICE' or the
~/.aws/credentials variable 'aws_mfa_device'.
--duration DURATION The duration, in seconds, that the temporary
credentials should remain valid. Minimum value: 900
(15 minutes). Maximum: 129600 (36 hours). Defaults to
43200 (12 hours), or 3600 (one hour) when using
'--assume-role'. This value can also be provided via
the environment variable 'MFA_STS_DURATION'.
--profile PROFILE If using profiles, specify the name here. The default
profile name is 'default'. The value can also be
provided via the environment variable 'AWS_PROFILE'.
--long-term-suffix LONG_TERM_SUFFIX
To identify the long term credential section by
[<profile_name>-LONG_TERM_SUFFIX]. Use 'none' to
identify the long term credential section by
[<profile_name>]. Omit to identify the long term
credential section by [<profile_name>-long-term].
--short-term-suffix SHORT_TERM_SUFFIX
To identify the short term credential section by
[<profile_name>-SHORT_TERM_SUFFIX]. Omit or use 'none'
to identify the short term credential section by
[<profile_name>].
--assume-role arn:aws:iam::123456788990:role/RoleName
The ARN of the AWS IAM Role you would like to assume,
if specified. This value can also be provided via the
environment variable 'MFA_ASSUME_ROLE'
--role-session-name ROLE_SESSION_NAME
Friendly session name required when using --assume-
role. By default, this is your local username.
Argument precedence: Command line arguments take precedence over environment variables.
Usage Example
Run aws-mfa before running any of your scripts that use any AWS SDK.
Using command line arguments:
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00
Using environment variables:
export MFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
$> aws-mfa --duration 1800
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00
export MFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
export MFA_STS_DURATION=1800
$> aws-mfa
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00
Output of running aws-mfa while credentials are still valid:
$> aws-mfa
INFO - Using profile: default
INFO - Your credentials are still valid for 1541.791134 seconds they will expire at 2015-12-21 23:07:09
Using a profile: (profiles allow you to reference different sets of credentials, perhaps for different users or different regions)
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development
INFO - Using profile: development
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):666666
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00
Using a profile that is set via the environment variable AWS_PROFILE:
$> export AWS_PROFILE=development
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman
INFO - Using profile: development
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):666666
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00
Assuming a role:
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --assume-role arn:aws:iam::123456788990:role/some-role --role-session-name some-role-session
INFO - Validating credentials for profile: default with assumed role arn:aws:iam::123456788990:role/some-role
INFO - Obtaining credentials for a new role or profile.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2016-10-24 18:58:17+00:00
Assuming a role: Assume a role specified in your long-term configuration
[default-long-term]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
assume_role = arn:aws:iam::123456788990:role/some-role
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --role-session-name some-role-session
Assuming a role using a profile:
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development --assume-role arn:aws:iam::123456788990:role/some-role --role-session-name some-role-session
INFO - Validating credentials for profile: development with assumed role arn:aws:iam::123456788990:role/some-role
INFO - Obtaining credentials for a new role or profile.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2016-10-24 18:58:17+00:00
Assuming a role in multiple accounts and be able to work with both accounts simultaneously (i.e. production an staging):
$> aws-mfa —profile myorganization --assume-role arn:aws:iam::222222222222:role/Administrator --short-term-suffix production --long-term-suffix none --role-session-name production
INFO - Validating credentials for profile: myorganization-production with assumed role arn:aws:iam::222222222222:role/Administrator
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me] (renewing for 3600 seconds):123456
INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:43+00:00
$> aws-mfa —profile myorganization --assume-role arn:aws:iam::333333333333:role/Administrator --short-term-suffix staging --long-term-suffix none --role-session-name staging
INFO - Validating credentials for profile: myorganization-staging with assumed role arn:aws:iam::333333333333:role/Administrator
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me] (renewing for 3600 seconds):123456
INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:44+00:00
$> aws s3 list-objects —bucket my-production-bucket —profile myorganization-production
$> aws s3 list-objects —bucket my-staging-bucket —profile myorganization-staging
-
http://ju.outofmemory.cn/entry/70264 Amazon最初始推出AWS时候,提供给用户的是虚拟机(EC2),存储(Volume),弹性IP(Elastic IP)等这些在云计算中被划分为基础设施层(I层)的资源。 稍后AWS又推出了RDS(Relation Database Service),用户可以申请MySQL,Oracle,Postgres,SQLServer
-
什么是AWS? AWS 云计算 Amazon Web Services (AWS) 是全球最全面、应用最广泛的云平台,从全球数据中心提供超过 175 项功能齐全的服务。数百万客户(包括增长最快速的初创公司、最大型企业和主要的政府机构)都在使用 AWS 来降低成本、提高敏捷性并加速创新。 优势 安全性 AWS 的安全性始于我们的核心基础设施。我们的基础设施针对云定制,旨在满足全球最为严格的安全要
-
fsx 客户端安装和挂载 安装 curl https://fsx-lustre-client-repo-public-keys.s3.amazonaws.com/fsx-rpm-public-key.asc -o /tmp/fsx-rpm-public-key.asc sudo rpm --import /tmp/fsx-rpm-public-key.asc sudo curl https:/
-
一、基础设施服务 AWS共提供14类28项服务,大致可分为计算、存储、应用架构、特定应用、管理这五大类: 1、计算类服务 EC2:虚拟机实例,有标准型、大内存、高运算能力、带10G网络的HPC、GPU等多种类型、Win/Linux OS、主流WEB、应用服务器、数据库。可自动按需伸缩。本机没有持久化的存储 Elastic MapReduce:MapReduce型分析,基于Hadoop,支持Hive
-
什么是AWS: 首先从aws 的官网上CV了一点概念,毕竟官网上的最准确的,也是标注,要深入学习可以深入了解 AWS Marketplace 是一个精心严选的数字化产品目录,客户通过它可以轻松地查找、购买、部署和管理构建解决方案及运营其业务所需的来自独立软件供应商(ISV)的软件。AWS Marketplace 中包含数千种热门软件,例如安全、网络、存储、机器学习、商业智能、数据库和开
-
aws mfa 认证 I am currently working on improving the security of cloud operations for one of my clients and wanted to share an interesting solution I developed to help provide programmatic access to AWS
-
文档:What is AWS CloudFormation? - AWS CloudFormation 1.简介 AWS CloudFormation 是一项服务,帮助对 AWS 资源进行建模和设置 通过模板来描述所有 AWS 资源,CloudFormation 负责为预置和配置这些资源。 无需单独创建和配置 AWS 资源并设置依赖。CloudFormation 处理了这些问题。 1.1 简化管理
-
总是提示错误 f1446272-3a36-4b71-ab51-e7d54f6fd69dSenderSignatureNotMatchThe Signature is not matched 查找原因; 大小写 method = ‘get’ 不可以,必须为GET 排序 canonical_querystring = ‘Action=ListServices&ChargeMode=Own&Versio
-
我想知道使用AWS OpsWorks与AWS Beanstalk和AWS CloudFormation的优缺点是什么? 我感兴趣的是一个可以自动伸缩的系统,它可以处理任意数量的并发web请求(从每分钟1000个请求到1000万rpm),包括一个可以自动伸缩的数据库层。 理想情况下,我希望有效地共享一些硬件资源,而不是为每个应用程序提供单独的实例。在过去,我主要使用EC2实例RDS Cloudtop
-
介绍如何在AWS上获取在云联壹云平台需要使用的配置参数。 获取AWS的访问密钥 使用AWS主账号(或拥有AdministratorAccess管理权限的子账号)登录AWS管理控制台,单击 “IAM” 菜单项,进入IAM控制面板页面。 单击左侧菜单栏 “用户” 菜单项,进入用户管理列表,单击用户名名称项,进入指定用户详情页面。注意需要选择有足够管理权限的用户。 单击“安全证书”页签。 单击 “创建访
-
AWS Global Infrastructure AWS Global Cloud - A single global cloud, is made up of devices and Services in many regions. AWS Region - A physical location around the world where Amazon have equipment(de
-
A collection of bash shell scripts for automating various tasks with Amazon Web Services using the AWS CLI and jq. https://github.com/swoodford/aws Table of contents Why Getting Started What's Include
-
我使用的是AWS SQS服务,很难定义SQS队列上的权限。在我的设置中,我使用的是AWS Lambda服务,当一个对象被推到S3存储桶上时会触发该服务。 然而,让我简短地提问,这是我想要实现的: 对象被推送到S3存储桶中 正如您可以从前面的用例中看到的,我希望我的AWS Lambda方法是唯一可以向SQS队列发送消息的应用程序。我试图设置一个原则和一个条件“sourceArn”。但是它们都不起作用
-
我有一个Powershell Lambda,我希望通过AWS CDK部署它,但在运行时遇到问题。 通过手动发布AWSPowerShellLambda部署Powershell可以: 但是,与CDK一起部署的同一脚本不会记录到CloudWatch日志,即使它具有以下权限: powershell脚本当前仅包含以下行,在CLI上由Publish AWSPowerShellLambda部署时可以工作: 注意
-
每当我试图在AWS Lambda上测试我的Lambda函数时,我目前都会得到一个ClassNotFoundExcure。例外情况显示在这里: 我在网上搜索过,包括这里的链接: AWS Lambda:类java.lang.ClassNotFoundExc0019,但没有用。 我在Android Studio中工作,创建了一个JAR文件(使用此链接:如何从Android Studio项目生成.JAR)
-
Setup source aws-alias.sh aws-start aws-ssh Shutdown aws-stop