Skip to content

mvanderlee/aws_auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
aws_auth_utils
aws_auth_utils
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

AWS Auth

Version License Supported Python Versions

pip install aws-auth-utils

aws configure --profile mfa-source

aws_auth mfa

The commands use click for argument parsing and if required arguments are missing it will prompt you.

To authenticate using your MFA token you will need to have a profile configured using regular an AWS Access Key.

We will use that and your MFA token to generate an authorized session profile. By default we will try to use the mfa-source and create the default profile.

If you only have a single MFA device set up, it will use that automatically. If you have multiple, it will the first one.

MFA

$ aws_auth mfa --help
Usage: aws_auth mfa [OPTIONS]

Options:
  -a, --mfa-arn TEXT          The identification number of the MFA device that
                              is associated with the IAM user. i.e.:
                              "arn:aws:iam::123456789012:mfa/tony.stark". You
                              can find this on the IAM page.
  -c, --code TEXT             The code generated by your MFA device.
  -d, --duration INTEGER      The duration, in seconds, of the session.
  -sp, --source-profile TEXT  What AWS profile to get the session token with.
  -tp, --target-profile TEXT  What AWS profile to store the credentials under.
  -v, --verbose BOOLEAN
  --help                      Show this message and exit.

Assume Role

The assume role is useful for multi-org environments where you want to impersonate a role in a child organization. If you access multiple organizations I recommend you set up aliases.

aws_auth assume \
  --role-arn arn:aws:iam::123456789012:role/OrganizationAccountAccessRole \
  --session-name child_org \
  --target-profile child_session
$ aws_auth assume --help
Usage: aws_auth assume [OPTIONS]

  Get MFA authenticated and assumed role session credentials and save them to
  the aws credentials file

  If you have multiple accounts you'd like to switch between, I recommend
  setting up aliases that call this script with predefined arguments.

Options:
  -r, --role-arn TEXT         The Arn of the Role to assume.
  -n, --session-name TEXT     The identifier for the assumed role session.
  -a, --mfa-arn TEXT          The identification number of the MFA device that
                              is associated with the IAM user. i.e.:
                              "arn:aws:iam::123456789012:mfa/tony.stark". You
                              can find this on the IAM page.
  -c, --code TEXT             The code generated by your MFA device.
  -d, --duration INTEGER      The duration, in seconds, of the session.
                              (defaults to 4 hours)
  -sp, --source-profile TEXT  What AWS profile to get the session token with.
  -tp, --target-profile TEXT  What AWS profile to store the credentials under.
  -v, --verbose BOOLEAN
  --help                      Show this message and exit.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages