"wev" plugin for Amazon Web Services multi-factor authentication
Project description
wev-awsmfa: A wev
plugin to support Amazon Web Services multi-factor authentication on the command line
wev (with environment variables)is a command line tool for resolving environment variables and running shell commands.
The wev-awsmfa
plugin allows you to verify your Amazon Web Services via multi-factor authentication without needing to modify your credentials file.
Example
Say your IAM user policy requires you to verify your identity via multi-factor authentication. If you try to use the aws
command line…
aws s3 ls
…your request is denied, because you didn't multi-factor authenticate:
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
With an appropriate .wev.yml
configuration (see below), you can run the aws
command line via wev
:
wev aws s3 ls
Resolving AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN...
We need your token.
Token:
Enter your one-time token, then wev-awsmfa
will create a temporary session, set the environment variables, then run the command:
2019-10-13 11:42:03 bucket-one-87yiuhhguy98ouo
2019-10-13 11:42:27 bucket-two-kjhu65564ewtrgd
2020-07-03 15:38:22 bucket-thr-08uytgftryjh766
Installation
Install wev, then:
pip3 install wev-awsmfa
Configuration
The key must be a list of three strings, describing the environment variables to set for:
- The access key ID. You probably want this to be
AWS_ACCESS_KEY_ID
. - The secret access key. You probably want this to be
AWS_SECRET_ACCESS_KEY
. - The session token. You probably want this to be
AWS_SESSION_TOKEN
.
Your minimal configuration is likely to look like this:
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
There are two optional properties:
mfa_device
describes the ARN of the MFA device to use.wev-awsmfa
will attempt to discover this automatically if omitted.duration
describes the duration of the temporary session, in seconds. Default is 900 seconds.
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
duration: 1800
mfa_device: arn:aws:iam::123456789012:mfa/foo
Development
Test plan
cd
into a new directory and create.wev.yml
:
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
- Create an IAM user named x and attach this inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListMFADevices"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "s3:ListAllMyBuckets",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
},
"Effect": "Allow",
"Resource": "*"
}
]
}
- Use
aws configure
to set the user's credentials into a new profile named y. - Temporarily set this new profile as the default:
export AWS_DEFAULT_PROFILE=<Y>
- Confirm that you do not have permission to list your S3 buckets:
aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
- Install
wev
andwev-awsmfa
:
pipenv install wev wev-awsmfa
- Use
wev
to list your S3 buckets:
wev --log-level debug aws s3 ls
You should be prompted for a token, then your S3 buckets should be listed.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for wev_awsmfa-1.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0f7c55cc741a987a3fccbddd3d6d70f2b7a6958107d514824478ad2addbae576 |
|
MD5 | 4f9243bba86468b5bb1788ca91ef55f7 |
|
BLAKE2b-256 | 3812ce7f1912b6b1367061d9816908487851fd5bba1418531169e103a1628053 |