The aws2fa tool helps to generate temporary MFA authenticated credentials and save the MFA configuration for further usage.
After generating the temporary tokens you can copy-paste it to any Unix server and get temporary access to AWS.
Example:
root@565ee0b2249b:/# aws2fa -p personal_vb_trial
2020-09-25 19:04:16,955 - INFO - Generating MFA code from MFA token...
2020-09-25 19:04:16,955 - INFO - Using 'mfa_token' from config file '~/.aws/aws_2fa'...
2020-09-25 19:04:16,956 - INFO - Using 'mfa_arn' from config file '~/.aws/aws_2fa'...
2020-09-25 19:04:16,956 - INFO - Using 'session_duration' from cli args...
2020-09-25 19:04:16,957 - INFO - Using 'role_arn' from config file '~/.aws/aws_2fa'...
2020-09-25 19:04:16,985 - INFO - Generating assumed role session credentials...
# Copy the commands to cli for using in unix terminal:
export AWS_ACCESS_KEY_ID='ASIAXGY2YZYUTD2PSS'
export AWS_SECRET_ACCESS_KEY='jSUg/[J6SiNcaKVWE]/D/ZEVH7ZU6Yd3psmjkELnmh'
export AWS_SESSION_TOKEN='FwoGZXIvYXdzENX]]]wEaDNzdzVaDp9stmO9HcSK1AV4S5xS2MayC8y+zjmli2JOt0bibeN1GfhnvJkB7hGYqaOc3AIWymYGjqejQ8RHS5oD2mOosJyVnvZwaMkPFtHWrL7vzJrZnowV6kM+EfvzUgTKvhrriHR2T6cA6kwAAIuz/T38X0xts2LaktGjcqbQMpFPaHxvRPpLcLCcHOio/DwRAPxJqoy0TfqvWWvmf6SgmTGuD5TFVyJG61EMacBWiuj/UwEsb32lWEYHdxKYi2iD2j/gosf64+wUyLXpWSax7UvZZAYMA6pbJ88rJ++mTtuZuSuC8nc68S6lNWg=='
- The
aws2fais packed in a container so you can use it anywhere where docker is installed - Autocomplete is already configured inside the container and it works with AWS profiles
- The
aws2facan autogenerate the MFA codes instead of retyping them from your MFA device every time. Use automatic token generation wisely, it is MUCH LESS SECURE than using MFA codes from your MFA device. - It is possible to save the MFA configuration and get the temporary credentials by just calling
aws2fa -p my_profileoraws2fa -p my_profile -mfa_code 231245 - The
aws2famounts your $HOME/.aws/credentials file from your host to the container, so you don't need to rebuild or restart the container if your $HOME/.aws/credentials file was changed - All the sensitive data is stored on your host only. it reduces the chance to push sensitive data to the container image
-
clone the repo
git clone https://github.com/vadymbat/aws-2fa.git -
build an image
cd aws-2fadocker build -t aws-2fa . -
run a container
docker run -it --rm --mount type=bind,source=$HOME/.aws,target=/root/.aws aws-2fa -
use
aws2fawith autocompletion inside the container
The container accesses the original ~/.aws/credentials file from your host. So if you update the file from the container the changes will be applied to the host file and vice versa.
The CLI parameters:
usage: aws2fa [-h] [--profile PROFILE] [--role_arn ROLE_ARN] [--mfa_arn MFA_ARN] [--mfa_token MFA_TOKEN | --mfa_code MFA_CODE]
[--session_duration SESSION_DURATION] [--save] [--quiet]
Generate MFA authenticated AWS credentials for CLI exporting. If you put an MFA base32 token to the '--mfa_token' argument, your MFA code will be autogenerated.
Within the AWS the token is available only when you create a Virtual MFA device for AWS user. Alternatively, you can use your existing Virtual MFA device and
provide the code with the '--mfa_code' parameter. Use '--save' to save your configuration e.g. mfa_arn, role_arn, or mfa_token to '~/.aws/aws_2fa' file, so next
time you need only fill the '--profile' parameter, the rest will be taken from the config file. The CLI arguments have higher priority than the config file.
optional arguments:
-h, --help show this help message and exit
--profile PROFILE, -p PROFILE
AWS profile from '~/.aws/credentials'
--role_arn ROLE_ARN, -r ROLE_ARN
IAM role to assume using provided profile credentials
--mfa_arn MFA_ARN, -ma MFA_ARN
Arn of your AWS Virtual MFA device
--mfa_token MFA_TOKEN, -mt MFA_TOKEN
MFA token to autogenerate your MFA code
--mfa_code MFA_CODE, -mc MFA_CODE
MFA code from your device
--session_duration SESSION_DURATION, -sd SESSION_DURATION
How long your credentials will be valid
--save, -s Save the configuration for that profile to '~/.aws/aws_2fa'
--quiet Do not print info output