Always protect your personal AWS IAM users with Multi-Factor Authentication (MFA). It comes with a small additional burden to type six numbers each time you log in to the AWS Console. But if you ignore the risk to not enable MFA, you will regret the day your username and password are leaked. And even worse, the day your long term access keys are leaked.
This tiny python script bundle will support you enable MFA on your user and the usage of its long term access keys. Each day you need to escalate your IAM user privileges. This tool enable you to assume, by you defined, an IAM Role with the additional step to type in your MFA token. Default expiration of these short term keys are 12 hours.
Clone this repo.
Navigate to project root dir and install python requirements:
pip install -r requirements.txt
Create your AWS IAM Access keys and configure AWS CLI as described below.
Modify $HOME\.aws\config with profile default:
[profile default]
region = eu-west-1
output = json
Modify $HOME\.aws\credentials with:
[my-longterm-credentials]
aws_access_key_id = ACCCCCCCCCCCESS-KEY-ID
aws_secret_access_key = SEEEEEEEEEEEEEEEEEEEEEEECRET-ACCESS-KEY
username = my_iam_user_name
For usage of awstoken.py run:
python python_files/src/awstoken.py --help
Typical usage:
python python_files/src/awstoken.py --role-name AdministratorRole --long-term-cred-profile my-longterm-credentials --account-id 123456789098
When having the IAM user in the AWS Organization Management account, you can omit the --account-id parameter. Then you will be prompted by a list of all the AWS accounts that is present in the AWS Organization.
For MAC users you preferably create an alias for common used config.
Add to ~/.zshrc
alias aws-token-audit="python /Users/your_path_to_repo/aws-mfa-token/python_files/src/awstoken.py --role-name AdministratorRole --long-term-cred-profile my-longterm-credentials --account-id 123456789098"
2:34 min video on how to setup and use AWS MFA Token.
