u-https-insidesmallbusiness-com-au-wp-content-uploads-2019-03.jpg

To enhance security, you can enable multi-factor authenticantion (MFA) use also for issuing CLI commands. Manually obtaining the temporary tokens and setting them up as environment variables can be a hassle. I came up with this quick script to automate the job.

In the following script, you only have to replace YOUR_MFA_ARN with the MFA device you have configured in you security settings in your AWS IAM user.

Then you can either source or execute the script.

Here’s the bash script aws-mfa-cli.sh :

# !/bin/bash
set -e

# check if script has been sourced or executed
(return 0 2>/dev/null) && sourced=1 || sourced=0

MFA_DEVICE_ARN=YOUR_MFA_ARN

read -p "Please enter you MFA code: " MFA_CODE

echo "You entered '$MFA_CODE'"

echo aws --output text sts get-session-token \
    --serial-number arn:aws:iam::661095214357:mfa/anmichel.rodriguez@annalect.com \
    --token-code $MFA_CODE

CREDS=$(aws --output text sts get-session-token \
    --serial-number $MFA_DEVICE_ARN \
    --token-code $MFA_CODE)

echo $CREDS

KEY=$(echo $CREDS | cut -d" " -f2)
SECRET=$(echo $CREDS | cut -d" " -f4)
SESS_TOKEN=$(echo $CREDS | cut -d" " -f5)

echo "Key: $KEY"
echo "Secret: $SECRET"
echo "Session token: $SESS_TOKEN"

export AWS_ACCESS_KEY_ID=$KEY
export AWS_SECRET_ACCESS_KEY=$SECRET
export AWS_SESSION_TOKEN=$SESS_TOKEN

if [ $sourced -eq 1 ]; then
    echo "Script was sourced."
else
    echo "Script was executed, starting subshell."
    bash -l
fi

This post is also available on DEV.