I wanted to setup cli to access different roles with master AWS login that had MFA enabled. I found articles to setup MFA or do role assumption but not both. This is my attempt to combine some of the solutions out there for MFA and role assumption.
Thanks Stephan Harris for https://github.com/sweharris/aws-cli-mfa/blob/master/get-aws-creds
Having multiple AWS accounts to handle different needs of the organization has become the preferred method to work in AWS.
Some advantages to having separate accounts for tools, dev, prod, staging.
- Separation of resources. There is no accidental updates to production.
- Can enforce different resource limits on each account.
- Billing becomes simpler and clearer.
There are two ways to manage multiple accounts for each user.
- Separate logins of each account which is a lot of users and logins to manage.
- One login for a primary account and use a concept called
Role Assumptionto access the related AWS accounts using roles.
Assuming role means the AWS token service will give you temporary credentials to access the account with an assumed role. Your master user should have the right Trust relationship configuration to assume the role being requested.
Whether you use one AWS account or use multiple aws accounts and access them via roles, aws recommends enabling multi factor authentication for increased security.
We can use hardware, text or virtual MFA devices like google authenticator app as a second layer of security other than the login credentials.
- Open chrome and log in to the primary account with credentials and mfa
- Install the chrome extension AWS Extend Switch Roles
- Once installed, click the extension and select configuration to setup config in
[dev] aws_account_id = 210987654321 role_name = Developer source_profile = default color = ffff00 [uat] aws_account_id = 123456789012 role_name = Developer source_profile = default color = ff00ff [prod] aws_account_id = 098765432132 role_name = Developer source_profile = default color = ff0000
- Refresh the browser and now we can switch accounts in the browser by simply clicking on the account alias/number on the top left.
Let's understand the files that are used by aws cli.
~/.aws/config- has profiles and default values for profiles
~/.aws/configure- has aws_access_key_id and aws_secret_access_key for each profile. Aws cli checks environment and then the configure file for the key and access.
Both files have a default entry which is your master account login keys.
We are going to use config and credential files to authenticate the right role using role assumption.
- Copy get-aws-creds.sh to
We gonna use a slightly altered version of the config file we used for browser. Notice that the role need to be an arn and we changed the source_profile to
[profile dev] region = us-east-1 role_arn = arn:aws:iam::<account_number>:role/Developer source_profile = mfa [profile uat] region = us-east-1 role_arn = arn:aws:iam::<account_number>:role/Developer source_profile = mfa [profile prod] region = us-east-1 role_arn = arn:aws:iam::<account_number>:role/Developer source_profile = mfa
- set an alias
We are done. Now we can use command
mfa to set the token for the default user.
$ » mfa You are: yloganathan Your MFA device is: arn:aws:iam::--redacted--:mfa/yloganathan Enter your MFA code now: 468114 Removing old mfa setting Push new mfa token, key, id to credentials AWS_SESSION_TOKEN=FQoGZXIvYXdzEMD//////////wEaDBYMaD/jCVsms7LcZCKwAb55t+hRUevOscgmhO1kPsFIRC2lUjZL9L3V2iSSo8pyUQay8GnvRw/PrMQp/XSJhoIkiOmnnq/+GH7Id7DhiTR0R2+tv+d6onYhOmSoLg2NnBbk6J038DHANz8JKsCrXIoSxsdfserfuVJrqECTSLdi+EsF1OnF+nZGCPxVJmWETWaQFZ4lYD2VqmMP68GuIzw4y1p9kpYQkkcEZ8jIh8dzS5m88OYTxNKJve4OYF AWS_SECRET_ACCESS_KEY=yrhWWewKa63048GF84u/OPqweERAw+iyQcMYgXKF AWS_ACCESS_KEY_ID=ASIAT7ADEFZVLJWNKRKFL Keys valid until 2019-05-11T02:35:07Z
We can access different aws accounts using the
$ » aws s3 ls An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied $ » aws s3 ls --profile dev 2019-04-08 13:17:00 cf-custom-resource-dev-somebucket-19qgbsjff4jw1 2019-02-01 15:04:28 cf-templates-1lguyp5t2xsbe-us-east-1 2019-02-28 16:13:41 cf-templates-1lguyp5t2xsbe-us-west-2
I would like to hear how you access assumed roles with MFA from aws cli.