aws-auth-utils 1.2.0

Easy AWS MFA authentication and role assuming

AWS Auth

pip install aws-auth-utils

aws configure --profile mfa-source

aws_auth mfa

The commands use click for argument parsing and if required arguments are missing it will prompt you.

To authenticate using your MFA token you will need to have a profile configured using regular an AWS Access Key.

We will use that and your MFA token to generate an authorized session profile. By default we will try to use the mfa-source and create the default profile.

If you only have a single MFA device set up, it will use that automatically. If you have multiple, it will the first one.

MFA

$ aws_auth mfa --help
Usage: aws_auth mfa [OPTIONS]

Options:
  -a, --mfa-arn TEXT          The identification number of the MFA device that
                              is associated with the IAM user. i.e.:
                              "arn:aws:iam::123456789012:mfa/tony.stark". You
                              can find this on the IAM page.
  -c, --code TEXT             The code generated by your MFA device.
  -d, --duration INTEGER      The duration, in seconds, of the session.
  -sp, --source-profile TEXT  What AWS profile to get the session token with.
  -tp, --target-profile TEXT  What AWS profile to store the credentials under.
  -v, --verbose BOOLEAN
  --help                      Show this message and exit.

Assume Role

The assume role is useful for multi-org environments where you want to impersonate a role in a child organization. If you access multiple organizations I recommend you set up aliases.

aws_auth assume \
  --role-arn arn:aws:iam::123456789012:role/OrganizationAccountAccessRole \
  --session-name child_org \
  --target-profile child_session

$ aws_auth assume --help
Usage: aws_auth assume [OPTIONS]

  Get MFA authenticated and assumed role session credentials and save them to
  the aws credentials file

  If you have multiple accounts you'd like to switch between, I recommend
  setting up aliases that call this script with predefined arguments.

Options:
  -r, --role-arn TEXT         The Arn of the Role to assume.
  -n, --session-name TEXT     The identifier for the assumed role session.
  -a, --mfa-arn TEXT          The identification number of the MFA device that
                              is associated with the IAM user. i.e.:
                              "arn:aws:iam::123456789012:mfa/tony.stark". You
                              can find this on the IAM page.
  -c, --code TEXT             The code generated by your MFA device.
  -d, --duration INTEGER      The duration, in seconds, of the session.
                              (defaults to 4 hours)
  -sp, --source-profile TEXT  What AWS profile to get the session token with.
  -tp, --target-profile TEXT  What AWS profile to store the credentials under.
  -v, --verbose BOOLEAN
  --help                      Show this message and exit.

Export Token

Simple export tokens and store them as standard credentials. Useful when dealing with SSO sessions but tools don't handle it.

aws_auth export \
  --source-profile default
  --target-profile exported-token