Skip to content
/ aws-bash Public

Is a very simple utility that allows secure AWS CLI authentication with multi-factor authentication (MFA) device without storing authentication token in the credential file.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

knuppe/aws-bash

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
aws-mfa-policy.json
aws-mfa-policy.json
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 
readme.md
readme.md
 
 

Repository files navigation

AWS-MFA

Is a very simple utility that allows secure authentication with multi-factor authentication (MFA) device without storing authentication token in the credential file ~/.aws/credentials.

How it works

The environment variables in the AWS CLI have a higher precedence than the credentials file, so it is possible to pass these variables only to a child bash process securely without storing the AWS_SESSION_TOKEN in the credentials file ~/.aws/credentials.

So, in practice these environment variables are visible "only" to the bash process that executes the commands, making the authentication process and using the AWS CLI much safer.

Features

  • Pure Go without dependencies (as it should be).
  • Retrieves the account id and assigns the AWS_ACCOUNT environment value for the child bash process.
  • Retrieves the user MFA device Arn automatically.
  • Retrieves the session token and stores the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables that are used by the AWS CLI.
  • Automatically closes the bash process when the session token expires.

Requirements

  1. The MFA-Required policy must be assigned to the user.

    Attention: The two-factor authentication requirement is enforced by the policy, if it is misconfigured, this authentication method will not bring any security improvement.

  2. The user must have assigned a MFA device, in the security credentials.

  3. AWS Command Line Interface must be installed in the local machine.

  4. The user account (only AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) must be configured in the local profile ~/.aws/credentials.

MFA-Required policy

The policy has the following features

  • Denies all resource or service access if MFA is not setup for the IAM User. It only has permission when MFA is not enabled for accessing the IAM User’s page and for adding or deleting MFA.
  • This will even deny users with attached AdministratorAccess Policy from accessing other resources if MFA is not enabled.
  • User can change password even if MFA is not configured when “User must create a new password at next sign-in” is selected .
  • Password change is disabled via IAM Console if the user has not yet configured MFA.
  • IAM Users can only see their own IAM settings. They will not be able to see settings for other users.
  • IAM User can configure Virtual MFA, U2F and hardware MFA.

The policy above does NOT include the following even when MFA is configured.

  • Access Keys
  • Signing Certificates
  • SSH Public Keys for CodeCommit
  • Git Credentials for CodeCommit

About

Is a very simple utility that allows secure AWS CLI authentication with multi-factor authentication (MFA) device without storing authentication token in the credential file.

Topics

aws aws-cli aws-cli-utilities

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

Initial release Latest
Jul 2, 2022

Packages

No packages published

Languages