Skip to content
Get short lived temporary AWS credentials in an easy way.
Python
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
README.md
get-temporary-credentials.py

README.md

Easy AWS Credentials

This is a python script for easy handling and generation of AWS temporary security credentials.

The script is based on the AWS configuration for profiles and credentials and adds some extra possibilities.

You can either generate session tokens, to be used for IAM users with MFA requirements, or you can use it to assume a IAM Role using MFA.

AWS Configuration

The Shared Credentials file (usually located in ~/.aws/credentials)
The Config file (usually located in ~/.aws/config)

Get session tokens

To have the script creating session tokens create profile in the config file and add the long lived AWS IAM credentials in the credentials file.

To use MFA add mfa_serial to the configuration.

The script will by default generate tokens valid for 1 hour, this can be changes by adding session_duration and specify a value between 900 and 43200 seconds.

Config file

[profile session-with-mfa]
region = eu-west-1
mfa_serial = arn:aws:iam::123456789011:mfa/cli-user
session_duration = 7200
Credentials file

[session-with-mfa]
aws_access_key_id = <YOUR ACCESS KEY>
aws_secret_access_key = <YOUR SECRET KEY>

Assuming a role

When assuming a role you need to specify additional parameters. Start by creating a profile in config file. Now you need to specify the role_arn parameter. This is what will trigger the script to assume a role instead of creating session tokens.

If you like to use AWS long lived credentials from a different profile you add either source_profile or credential_source parameter.

It is highly recommended that you add role_session_name to be able to distinguish between different users. If role_session_name is nor specified the default value easy-credentials will be used.

To use MFA add mfa_serial parameter.

The script will by default generate credentials valid for 1 hour, this can be changes by adding session_duration and specify a value between 900 and 43200 seconds.

Config file

[profile role-with-mfa]
region = eu-west-1
role_arn=arn:aws:iam::123456789011:role/user-role
source_profile=session-profile
mfa_serial = arn:aws:iam::123456789011:mfa/cli-user
role_session_name = my-user-name

Credentials file

[session-profile]
aws_access_key_id = <YOUR ACCESS KEY>
aws_secret_access_key = <YOUR SECRET KEY>

Usage

Run the script e.g. python3 get-temporary-credentials.py You will be asked to select a profile that will be used to generate credentials. You will be asked to name a profile in which the temporary credentials will be stored, if this is left blank the environment variables will just be printed. If the selected profile has MFA configuration you will be asked to enter your token code.

You can also specify all or some parameters when calling the script.
--profile Specifies the profile to create credentials for.
--temp_profile Specifies the temp profile to store the credentials in, put to NONE to print as environment variables.
--mfa_token Specifies the MFA token to use in case of MFA.

python3 get-temporary-credentials.py --profile session-with-mfa --temp_profile default --mfa_token 123456
You can’t perform that action at this time.