Skip to content

Simple tool to refresh an MFA token for AWS IAM account (using STS)

License

Notifications You must be signed in to change notification settings

jdevelop/go-aws-mfa

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Why

If you have an MFA-enabled account on Amazon AWS, you need to refresh the token periodically, in order to use aws cli toolkit.

The sequence of actions is:

  • using the primary AWS account, request the list of MFA devices configured for this account
  • issue an STS request to get the session token
  • update the ~/.aws/credentials file with the received access key, secret key and session token for the given profile

This simple flow is implemented as Go utility, that only updates the existing profile in the ~/.aws/credentials with the access/secret/session tokens.

There is another utility awsmfa with extended functionality for AWS key management / rotation.

How

Usage of ./go-aws-mfa:
  -d string
        MFA-enabled profile
  -s string
        Source (primary) profile

where

  • -s specifies the IAM role that has an MFA device configured
  • -d specifies the target profile to add/replace the credentials to.

Example

./go-aws-mfa -s user1 -d user1-mfa will ask for the token code for MFA device configured for user1. Then the temporary credentials will be stored for user1-mfa. In order to use that temporary account with awscli, you need to set the AWS_PROFILE environment variable to user1-mfa and then invoke aws command normally, for example:

AWS_PROFILE=user1-mfa aws s3 ls s3://bucket-user1/

About

Simple tool to refresh an MFA token for AWS IAM account (using STS)

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages