This is followed by instructions for setting up AWS MFA, and then installing and configuring AWS CLI.
Unfortunately, this mandatory procedure took me half a working day. So that other insecure AWS users 😉, like myself, do not waste precious time on the banal, I decided to make an instruction.
Even for sandbox account setting This is usually a mandatory requirement. We have it so.
MFA setup
- Set
- Go to
- -> Assign MFA Device
- Virtual MFA Device
- Follow the instructions on the screen
- Virtual Device Ready
Installing the AWS CLI
Setting up a named profile
- -> Create access key
- Copy the key to the clipboard. You will need it in the next step.
$ aws configure --profile <your profile name>
AWS CLI via MFA
- Copy the ARN of the virtual device
aws sts get-session-token --profile <имя профиля> --serial-number <ARN виртуального устройства> --token-code <одноразовый пароль>
The one-time password must be taken from the previously configured mobile application.- The command will output JSON, the individual fields of which must be substituted into the appropriate environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
I decided to automate through ~/.bash_profile
To parse JSON, this script requires .
#!/usr/bin/env bash
aws_login() {
session=$(aws sts get-session-token "$@")
echo "${session}"
AWS_ACCESS_KEY_ID=$(echo "${session}" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "${session}" | jq -r '.Credentials.SecretAccessKey')
export AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN=$(echo "${session}" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN
}
alias aws-login-dev='aws_login --profile <имя dev профиля> --serial-number <ARN виртуального устройства> --token-code '
alias aws-login-prod='aws_login --profile <имя prod профиля> --serial-number <ARN виртуального устройства> --token-code 'Usage:
$ aws-login-dev <одноразовый пароль>I hope this instruction will help you avoid lengthy wanderings through the official documentation 😉
Source: habr.com