How does --mfa-secret work?

[stefansundin]

If you have set up your S3 bucket to require MFA to upload files, then the --mfa-secret feature may help you with uploads that take a very long time. The longest allowable time that you can assume a role is 12 hours (since 2018). You have to configure your role to allow more than 1 hour (which was the previous limit). You have to use --mfa-duration 12h if you want the session to last longer than 1 hour.

If your upload takes longer 12 hours and you have to use MFA, then the upload will stop and you will have to enter another TOTP code.

To work around this problem, I added the --mfa-secret feature. You can give shrimp the MFA secret which will allow shrimp to generate the TOTP codes on its own. You can get the MFA secret when you set up your MFA.

Disclaimer: Be very careful of where you store the secret. If you ever think you accidentally sent the MFA secret over the network then revoke it immediately.

Instead of using this, I recommend that you consider creating a separate user with limited permissions, only enough to perform the upload. You can even give that user an MFA if needed. This way there is much less risk of handing the MFA secret to a program like shrimp.

In order to protect your secret, shrimp does not let you pass it as an argument. Instead it will prompt you for the secret when you run the command. shrimp will then erase the line with the MFA from the terminal.

If you can't enter the secret interactively, then you can pass the secret to shrimp using the environment variable AWS_MFA_SECRET.

You can use --debug if you want to see the codes that are generated.

I think this is a very cool feature. Let me know if you have any problems with it.