Convenience wrapper for MFA-authenticated AWS STS sessions
Reason this release was yanked:
aws-myfa is deprecated, consider using victorykit-paws
Project description
Create and maintain AWS CLI profiles requiring MFA-authenticated STS sessions with ease.
If you don’t know what this script is for, don’t waste your time, you’ll probably won’t need it.
A bad example:
python3 aws-mfa-profile.py
–mfa-device-arn “arn:aws:iam::XXXXXXXXXXXX:mfa/me” –yes
This will use your default profile and overwrite it. You’ll have to get new AWS IAM user access keys afterwards.
Do this instead:
python3 aws-mfa-profile.py
”my-new-mfa-authenticated-profile-name” “my-mfa-device-owning-principal-profile-name” –mfa-device-arn “arn:aws:iam::XXXXXXXXXXXX:mfa/me”
You will use the AWS CLI profile named
my-mfa-device-owning-principal-profile-name
from your ~/.aws/config file
to get an AWS STS session token and create or update a profile named
my-new-mfa-authenticated-profile-name
, which links to source profile in
~/.aws/credentials named my-new-mfa-authenticated-profile-name
.
Add the --yes
flag to acknowledge all yes/no prompts.
If you want to update an existing MFA profile you’ve already created, it is sufficient to do the following:
python3 aws-mfa-profile.py -y “my-new-mfa-authenticated-profile-name”
View this help documentation:
python3 aws-mfa-profile.py --help
Create a system daemon or shell script (CRON, etc.) to do this recurrently, there is open-source software for virtual MFA devices to do this. Will your security officer be mad at you for doing this? Probably… The point of MFA is, to have multiple authentication factors from multiple systems. The greater the separation between the systems, the better. Having both, a password and a token-device on the same physical system is bad enough, but having it in the same software system (e.g. like 1Password, Bitwarden, etc.) is really bad… It’s annoying sometimes, but there is no better option as of yet.
Use it at your own discretion, but try not to automate too much of the authentication process, PLEASE!
Want to extend the functionality? Make main() small again!
usage: aws-myfa [-h] [--config FILE] [--yes] [--mfa-device-arn FILE] [--mfa-token-code TOKEN_CODE] [--credentials FILE] TARGET_PROFILE [PRINCIPAL_PROFILE]
Positional Arguments
Named Arguments
Your current AWS CLI profiles will be retained.
Getting Started
The following commands are required:
-
python3
-
pip
-
pipenv
(Development)
Next, install and make sure the command is available.
$ python3 -m pip install victorykit-aws-myfa
$ aws-myfa --help
Alternatively, you can clone the repository and install via pipenv
$ mkdir aws-myfa && cd $_ && git clone git@bitbucket.org:victorykit/py-aws-myfa.git .
$ python3 -m pipenv install -d
$ python3 -m pipenv run aws-myfa --help
The documentation can be built through the pipenv enironment
$ python3 -m pipenv run htmldocgen
$ python3 -m pipenv run mddocgen
Usage Examples
A bad example:
aws-mfa \
--mfa-device-arn "arn:aws:iam::XXXXXXXXXXXX:mfa/me" \
--yes
This will use your default profile and overwrite it. You’ll have to get new AWS IAM user access keys afterwards.
Do this instead:
aws-myfa \
--mfa-device-arn 'arn:aws:iam::XXXXXXXXXXXX:mfa/me' \
'my-new-mfa-authenticated-profile-name' \
'my-mfa-device-owning-principal-profile-name' \
You will use the AWS CLI profile named
my-mfa-device-owning-principal-profile-name
from your ~/.aws/config file
to get an AWS STS session token and create or update a profile named
my-new-mfa-authenticated-profile-name
, which links to source profile in
~/.aws/credentials named my-new-mfa-authenticated-profile-name
.
Add the --yes
flag to acknowledge all yes/no prompts.
If you want to update an existing MFA profile you’ve already created, it is sufficient to do the following:
aws-myfa -y 'my-new-mfa-authenticated-profile-name'
View this help documentation:
python3 aws-myfa --help
Create a system daemon or shell script (CRON, etc.) to do this recurrently, there is open-source software for virtual MFA devices to do this. Will your security officer be mad at you for doing this? Probably… The point of MFA is, to have multiple authentication factors from multiple systems. The greater the separation between the systems, the better. Having both, a password and a token-device on the same physical system is bad enough, but having it in the same software system (e.g. like 1Password, Bitwarden, etc.) is really bad… It’s annoying sometimes, but there is no better option as of yet.
License
DL-DE->BY-2.0
Datenlizenz Deutschland – Namensnennung – Version 2.0
(1) Jede Nutzung ist unter den Bedingungen dieser „Datenlizenz Deutschland – Namensnennung – Version 2.0" zulässig.
Die bereitgestellten Daten und Metadaten dürfen für die kommerzielle und nicht kommerzielle Nutzung insbesondere
vervielfältigt, ausgedruckt, präsentiert, verändert, bearbeitet sowie an Dritte übermittelt werden;
mit eigenen Daten und Daten Anderer zusammengeführt und zu selbständigen neuen Datensätzen verbunden werden;
in interne und externe Geschäftsprozesse, Produkte und Anwendungen in öffentlichen und nicht öffentlichen elektronischen Netzwerken eingebunden werden.
(2) Bei der Nutzung ist sicherzustellen, dass folgende Angaben als Quellenvermerk enthalten sind:
Bezeichnung des Bereitstellers nach dessen Maßgabe,
der Vermerk „Datenlizenz Deutschland – Namensnennung – Version 2.0" oder „dl-de/by-2-0" mit Verweis auf den Lizenztext unter www.govdata.de/dl-de/by-2-0 sowie
einen Verweis auf den Datensatz (URI).
Dies gilt nur soweit die datenhaltende Stelle die Angaben 1. bis 3. zum Quellenvermerk bereitstellt.
(3) Veränderungen, Bearbeitungen, neue Gestaltungen oder sonstige Abwandlungen sind im Quellenvermerk mit dem Hinweis zu versehen, dass die Daten geändert wurden.
Data licence Germany – attribution – version 2.0
(1) Any use will be permitted provided it fulfils the requirements of this "Data licence Germany – attribution – Version 2.0".
The data and meta-data provided may, for commercial and non-commercial use, in particular
be copied, printed, presented, altered, processed and transmitted to third parties;
be merged with own data and with the data of others and be combined to form new and independent datasets;
be integrated in internal and external business processes, products and applications in public and non-public electronic networks.
(2) The user must ensure that the source note contains the following information:
the name of the provider,
the annotation "Data licence Germany – attribution – Version 2.0" or "dl-de/by-2-0" referring to the licence text available at www.govdata.de/dl-de/by-2-0, and
a reference to the dataset (URI).
This applies only if the entity keeping the data provides the pieces of information 1-3 for the source note.
(3) Changes, editing, new designs or other amendments must be marked as such in the source note.
URL: http://www.govdata.de/dl-de/by-2-0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for victorykit-aws-myfa-1.0.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3aa3fe38a3972a6d1676b2b8aab63957765da4eaee31c4db3ecc671a19c842bc |
|
MD5 | ad40ad520476f0de86b9dddee2d77e7d |
|
BLAKE2b-256 | 898d886237b28ea1e6413921c84c800c3a6527d3b74f6576548d9244e28304cf |
Hashes for victorykit_aws_myfa-1.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | fa83438d9a029dbda6a8fa94856584654a6e9bd4ab915f667925c67a64a3c1f3 |
|
MD5 | ea1e13a953c56ce2a73f0f63d0b4a281 |
|
BLAKE2b-256 | a93e6e9f92a780a25946dc24252dac2ba0bdca6778e9889618d66d3b864557b1 |