Automating MFA Login to AWS CLI Session

By Published AWS CLI, DevOps

It is certainly a good practice to enable multi-factor authentication (MFA) wherever possible. To work on AWS resources via command line interface (CLI), you have to use temporary credentials returned by the following command and then populate the environment variables accordingly.

   $ aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/agill --token-code 123456 --duration-seconds 86400

It will return temporary credentials. Order of elements may vary depending upon the OS platform, AWS CLI client is running on.

   {
       "Credentials": {
           "AccessKeyId": "ABCXYZ123LEDBHNDJOHN",
           "SecretAccessKey": "abc123XYZOrYKEaXv/yzY7GqSh16FrtzL0EM2bD7",
           "SessionToken": "FQoABCdzXYZ//////////wEaXYZl/Yv6mzhCxyzfriKwAejFxV3vDdkHs73ucABCZVa4cOeoPjhkvcKXMAvQrNrxr31qyO4o39+kjCobUvEZDqsG0T6x6r/kz8b+PvVLK4gKst5zuQbFshc1eOa0sr9dXYZrw1jV/w1a8iVyCuDFKS/V9fHG/J9zx43vG4UMP9Rz6DJOHN6ehPT2/4jzSuFehjHufHcp1vDulw/cAh++gysckCT4CBJ+Abdul+Gill+LSpb2+14sZbX0y3b0lxi+Larry+IF",
           "Expiration": "2017-12-28T15:00:57Z"
       }
   }

Then populate your environment variables with temporary credentials.

   
   $ export AWS_ACCESS_KEY_ID=ABCXYZ123LEDBHNDJOHN
   $ export AWS_SECRET_ACCESS_KEY=abc123XYZOrYKEaXv/yzY7GqSh16FrtzL0EM2bD7
   $ export AWS_SESSION_TOKEN=FQoABCdzXYZ//////////wEaXYZl/Yv6mzhCxyzfriKwAejFxV3vDdkHs73ucABCZVa4cOeoPjhkvcKXMAvQrNrxr31qyO4o39+kjCobUvEZDqsG0T6x6r/kz8b+PvVLK4gKst5zuQbFshc1eOa0sr9dXYZrw1jV/w1a8iVyCuDFKS/V9fHG/J9zx43vG4UMP9Rz6DJOHN6ehPT2/4jzSuFehjHufHcp1vDulw/cAh++gysckCT4CBJ+Abdul+Gill+LSpb2+14sZbX0y3b0lxi+Larry+IF

Now your are ready to run AWS CLI commands. To test it out, run some simple command.

   $ aws s3 ls

I have bundled all these steps into a script. As I mentioned earlier, the output format from "aws sts get-session-token" is client platform specific. So I have different version for each platform. The script also has commands to configure git environment to work with "AWS CodeCommit" by issuing the following statements.

   $ git config --global user.name "Abdul M Gill"
   $ git config --global user.email "amgill@cloudarchitect.net"
   $ git config --global credential.helper "!aws codecommit credential-helper $@"
   $ git config --global credential.UseHttpPath true

It accepts MFA token as an input parameter. Just source it in bash shell (Linux, Git Bash, Mac). Execute bath file on Windows. Here is how it should be run.

   
   $ . ./agill-prod-mac.sh 123456
   $ . ./agill-prod-linux.sh 123456
   $ . ./agill-prod-git-bash.sh 123456
   $ agill-prod-win.bat 123456

Update the following lines in each script to reflect your environment before executing. I usually keep one script copy for each AWS configured profile, named after profile and shell <profile-name>-<shell>.<ext>. For example, Mac version of my “agill-prod” profile would be called "agill-prod-mac.sh"

   git config --global user.name "Abdul M Gill"
   git config --global user.email "amgill@cloudarchitect.net"
   export AWS_DEFAULT_PROFILE=agill-prod
   export ASSIGNED_MFA_ARN=arn:aws:iam::123456789012:mfa/amgill
   export HTTP_PROXY=http://yourproxy.yourdomain.com:80     #comment out the line if no proxy is used in your environment for outbound internet traffic.
   export HTTPS_PROXY=http://yourproxy.yourdomain.com:8080  #comment out the line if no proxy is used in your environment for outbound internet traffic.

Any questions or issues with download, please feel free to contact me via email. Enjoy!

Download Script File(s):
amgill-prod-mac.sh
amgill-prod-linux.sh
amgill-prod-git-bash.sh
amgill-prod-win.bat

Known Issues:
Issue 1 – Mac: After the first successful run, subsequent git push attempts error out.

$ git push -u origin master
$ git add terraforming/
$ git commit -m "Shell script to generate terraform script (tf_export.sh) from pre-deployed AWS resources"
$ git push -u origin master
    fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/agill-utilities/': The requested URL returned error: 403

The workaround is to delete code commit credentials entry from Key Chain after each git push. The entry is shown below in Mac “Key Chain”.

Issue 2 – Git Bash on Windows: While installing git command tools on Windows, make sure that

option to “Enable Git Credential Manager” is unchecked. CodeCommit doesn’t work well with this credential helper. AWS credential helper is enabled instead while configuring git. That’s configured in the scripts utilizing the following line.

 

$ git config --global credential.helper "!aws codecommit credential-helper $@"

Note: Any account and keys included in this article are fictitious and not real. Sorry if that disappointed someone 🙂

One Reply to “Automating MFA Login to AWS CLI Session”

  1. Pingback: Find EC2 Instanced behind a Load Balancer with AWS CLI – The Cloud 'N About

Leave a Reply

Your email address will not be published. Required fields are marked *