"wev" plugin for Amazon Web Services multi-factor authentication
Project description
wev-awsmfa: A wev plugin to support Amazon Web Services multi-factor authentication on the command line
wev (with environment variables)is a command line tool for resolving environment variables and running shell commands.
The wev-awsmfa plugin allows you to verify your Amazon Web Services via multi-factor authentication without needing to modify your credentials file.
Example
Say your IAM user policy requires you to verify your identity via multi-factor authentication. If you try to use the aws command line…
aws s3 ls
…your request is denied, because you didn't multi-factor authenticate:
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
With an appropriate .wev.yml configuration (see below), you can run the aws command line via wev:
wev aws s3 ls
Resolving AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN...
Please enter your MFA token to authenticate.
Token:
Enter your one-time token, then wev-awsmfa will create a temporary session, set the environment variables, then run the command:
2019-10-13 11:42:03 bucket-one-87yiuhhguy98ouo
2019-10-13 11:42:27 bucket-two-kjhu65564ewtrgd
2020-07-03 15:38:22 bucket-thr-08uytgftryjh766
Installation
Install wev, then:
pip3 install wev-awsmfa
Configuration
The key must be a list of three strings, describing the environment variables to set for:
- The access key ID. You probably want this to be
AWS_ACCESS_KEY_ID. - The secret access key. You probably want this to be
AWS_SECRET_ACCESS_KEY. - The session token. You probably want this to be
AWS_SESSION_TOKEN.
Your minimal configuration is likely to look like this:
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
There are two optional properties:
mfa_devicedescribes the ARN of the MFA device to use.wev-awsmfawill attempt to discover this automatically if omitted.durationdescribes the duration of the temporary session, in seconds. Default is 900 seconds.
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
duration: 1800
mfa_device: arn:aws:iam::123456789012:mfa/foo
Development
Test plan
cdinto a new directory and create.wev.yml:
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
- Create an IAM user named x and attach this inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetUser",
"iam:ListMFADevices"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Action": "s3:ListAllMyBuckets",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
},
"Effect": "Allow",
"Resource": "*"
}
]
}
- Use
aws configureto set the user's credentials into a new profile named y. - Temporarily set this new profile as the default:
export AWS_DEFAULT_PROFILE=<Y>
- Confirm that you do not have permission to list your S3 buckets:
aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
- Install
wevandwev-awsmfa:
pipenv install wev wev-awsmfa
- Use
wevto list your S3 buckets:
wev --log-level debug aws s3 ls
You should be prompted for a token, then your S3 buckets should be listed.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
File details
Details for the file wev_awsmfa-1.1.0-py3-none-any.whl.
File metadata
- Download URL: wev_awsmfa-1.1.0-py3-none-any.whl
- Upload date:
- Size: 9.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/51.1.2 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/3.8.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | bfdff37fff1e82321f285841692277f8a131c7b92fc19571e8226973badcd10d |
|
| MD5 | 8e047ce10bff7d96eac2d3e19c38be3e |
|
| BLAKE2b-256 | 86df244dffaab9b82aceb72f528a00fef6ec456ba777f6c7e7c68efdde3aa655 |
