aws-cli-auth is cli tool for authentication an AWS IAM User with MFA to assume a role when using AWS CLI on your machine.
-
Configure AWS iam user(s) and role(s) according to aws best practices
-
clone this repo and create a config file, file type can be
json,yamlortoml -
The
configfile should look like this:User: AccKeyId: "<IAM USER ACCESS KEY ID>" SecAccKey: "<IAM USER SECRET ACCESS KEY>" DefaultRegion: "<AWS REGION>" MFASerial: "<MFA SERIAL ARN>" RoleArn: "<ROLE-ARN>" SessionName: "<SESSION-NAME>"
DefaultRegion = "<AWS REGION>" MFASerial = "<MFA SERIAL ARN>" RoleArn = "<AWS REGION>" SessionName = "<SESSION-NAME>" [User] AccKeyId = "<IAM USER ACCESS KEY ID>" SecAccKey = "<IAM USER SECRET ACCESS KEY>"
{ "DefaultRegion": "<AWS REGION>", "MFASerial": "<MFA SERIAL ARN>", "RoleArn": "<AWS REGION>", "SessionName": "<SESSION-NAME>", "User":{ "AccKeyId": "<IAM USER ACCESS KEY ID>", "SecAccKey": "<IAM USER SECRET ACCESS KEY>" } } -
run
go build . -
run
./aws-cli-auth -hto see the help -
run
./aws-cli-auth --config=[path/]config.[yaml|toml|json]to request temporary AWS credentials
AWS security best practices recommends enabling MFA for AWS account and using roles to grant limited access to resources for a limited amount of time. In keeping with these security practices, I recommend:
- Create an AWS role and attach all the policies needed for that role
- Create an assume role policy for assuming that role
- Creating an AWS user with MFA enabled and attach an assumerole policy to that user
- Add the following trust relationship to the AWS IAM role, this trust relationship will only allow the user to assume role if the MFA code is provided
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<User ARN>" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }
- beautification