Setting Up Multi-Factor Authentication With the AWS CLI
As part of achieving SOC-2 certification, we had to implement stricter requirements around AWS authentication. Database Performance Monitor has had multi-factor authentication (MFA) for access to the AWS web-app console since the beginning, but now we have an additional requirement for CLI access.
Ordinary CLI access without MFA requires an access key ID and a secret access key. You simply set those credentials in your environment and the AWS CLI will just work. To get MFA involved, you need to change your workflow to include temporary security credentials through the AWS Security Token Service. You have to use your usual CLI credentials (the access key ID and secret access key I just mentioned) and your MFA code to request temporary credentials, which work for 12 hours by default. The primary command to get those temporary credentials is:
$ aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
(You can learn more about this in the AWS Knowledge Center.)
That retrieves the temporary access key ID and secret access key and prints them to your terminal. You can start using those temporary credentials as if they were your original, permanent credentials. You definitely don’t want to overwrite your existing configuration, because you can’t get those back. Fortunately the CLI supports profiles which allow you to organize and refer to different sets of credentials by name. One of our developers, Nick Phillips, created a Python script to automate fetching of the temporary credentials and saving them to a separate profile. You can find the gist here.
To use the script, first set up a “default” profile, with your permanent credentials, which is used to run get-session-token mentioned above. In the following example this is called stage-default. You can add more default profiles as needed. We have separate accounts for production and staging environments, which is why you also see prod-default.
Next, set up a section for each of the temporary credentials you’ll have, but without the “-default” suffix. In the following example these are named stage and prod.
# This is your access key and secret from the console [stage-default] aws_access_key_id = ABCD aws_secret_access_key = 1234 [prod-default] aws_access_key_id = ABCD aws_secret_access_key = 1234 # Populate the mfa line. New tokens will populate here after running the script [stage] aws_arn_mfa = <from AWS console> aws_access_key_id = <auto-generated> aws_secret_access_key = <auto-generated> aws_session_token = <auto-generated> [prod] aws_arn_mfa = <from AWS console aws_access_key_id = <auto-generated> aws_secret_access_key = <auto-generated> aws_session_token = <auto-generated>
Then run the script with your MFA token and it will save your temporary credentials to a separate profile, e.g. stage.
$ echo $AWS_PROFILE stage $ aws_update_tokens 123456 Saved stage credentials to /Users/nicholasphillips/.aws/credentials
Now you can use MFA through the AWS CLI with ease. Nick’s script works with different AWS accounts too, so having different profiles for a stage and production account is still easy to manage. We hope you’ll find it helpful.