"wev" plugin for Amazon Web Services multi-factor authentication
Project description
wev-awsmfa: A wev
plugin to support Amazon Web Services multi-factor authentication on the command line
wev (with environment variables)is a command line tool for resolving environment variables and running shell commands.
The wev-awsmfa
plugin allows you to verify your Amazon Web Services via multi-factor authentication without needing to modify your credentials file.
Example
Say your IAM user policy requires you to verify your identity via multi-factor authentication. If you try to use the aws
command line…
aws s3 ls
…your request is denied, because you didn't multi-factor authenticate:
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
With an appropriate .wev.yml
configuration (see below), you can run the aws
command line via wev
:
wev aws s3 ls
Resolving AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN...
Please enter your MFA token to authenticate.
Token:
Enter your one-time token, then wev-awsmfa
will create a temporary session, set the environment variables, then run the command:
2019-10-13 11:42:03 bucket-one-87yiuhhguy98ouo
2019-10-13 11:42:27 bucket-two-kjhu65564ewtrgd
2020-07-03 15:38:22 bucket-thr-08uytgftryjh766
Installation
Install wev, then:
pip3 install wev-awsmfa
Configuration
The key must be a list of three strings, describing the environment variables to set for:
- The access key ID. You probably want this to be
AWS_ACCESS_KEY_ID
. - The secret access key. You probably want this to be
AWS_SECRET_ACCESS_KEY
. - The session token. You probably want this to be
AWS_SESSION_TOKEN
.
Your minimal configuration is likely to look like this:
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
There are two optional properties:
mfa_device
describes the ARN of the MFA device to use.wev-awsmfa
will attempt to discover this automatically if omitted.duration
describes the duration of the temporary session, in seconds. Default is 900 seconds.
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
duration: 1800
mfa_device: arn:aws:iam::123456789012:mfa/foo
Development
Test plan
cd
into a new directory and create.wev.yml
:
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]:
plugin:
id: wev-awsmfa
- Create an IAM user named x and attach this inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetUser",
"iam:ListMFADevices"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Action": "s3:ListAllMyBuckets",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
},
"Effect": "Allow",
"Resource": "*"
}
]
}
- Use
aws configure
to set the user's credentials into a new profile named y. - Temporarily set this new profile as the default:
export AWS_DEFAULT_PROFILE=<Y>
- Confirm that you do not have permission to list your S3 buckets:
aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
- Install
wev
andwev-awsmfa
:
pipenv install wev wev-awsmfa
- Use
wev
to list your S3 buckets:
wev --log-level debug aws s3 ls
You should be prompted for a token, then your S3 buckets should be listed.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for wev_awsmfa-1.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bfdff37fff1e82321f285841692277f8a131c7b92fc19571e8226973badcd10d |
|
MD5 | 8e047ce10bff7d96eac2d3e19c38be3e |
|
BLAKE2b-256 | 86df244dffaab9b82aceb72f528a00fef6ec456ba777f6c7e7c68efdde3aa655 |