- Author: Adam Bolte
- Contact: [email protected]
This is a small Bash script that gives the user the ability to quickly obtain AWS session credentials as shell environment variables, using heavily restricted IAM access keys and a MFA device.
For example, a user might have a policy applied to deny nearly any service access until the user has enabled MFA, as described by Amazon here.
https://github.com/sitepoint/aws-mfa-env
These are the dependencies that were tested, and all with the possible exception of the AWS Command Line Interface (AWS CLI) should be available in almost any desktop or server GNU/Linux distribution's package management system.
Place the aws-mfa-env script somewhere in your path. It need not have
executable permissions set. Next, in your login shell
(eg. ~/.bashrc for GNU Bash, ~/.zshrc for Z shell) file add
the following line:
. aws-mfa-envEnsure AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment
variables are set. Additionally, set AWS_MFA_ARN to the ARN of
your IAM account's MFA device. It will take this format:
arn:aws:iam::<AWS ACCOUNT>:mfa/<IAM USER>
Once those have been taken care of, simply run the aws-mfa-env
command.
$ aws-mfa-env
MFA token: 123456
Success!
Expiration: "2024-07-25T19:13:43+00:00"
$This will set new values for the environment variables
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, and also export a
new environment variable AWS_SESSION_TOKEN. With these in place,
you can now execute other commands from the AWS Command Line Interface
(aka. aws-cli) or scripts that use libraries provided by AWS (such as
Python scripts that use boto3), provided you have the appropriate
permissions to do so.
At no point does aws-mfa-env write the session credentials to a file.
If you encounter any bugs or would like to propose a new feature, feel free to open an issue on GitHub, however please be patent with a response.
Likewise, pull requests are also welcome.
If you like this project, you might also find envswitch useful. These are both stand-alone tools but work very well together.