If you have an MFA-enabled account on Amazon AWS, you need to refresh the token periodically, in order to use aws cli toolkit.
The sequence of actions is:
- using the primary AWS account, request the list of MFA devices configured for this account
- issue an STS request to get the session token
- update the
~/.aws/credentialsfile with the received access key, secret key and session token for the given profile
This simple flow is implemented as Go utility, that only updates the existing profile in the ~/.aws/credentials with the access/secret/session tokens.
There is another utility awsmfa with extended functionality for AWS key management / rotation.
Usage of ./go-aws-mfa:
-d string
MFA-enabled profile
-s string
Source (primary) profile
where
-sspecifies the IAM role that has an MFA device configured-dspecifies the target profile to add/replace the credentials to.
./go-aws-mfa -s user1 -d user1-mfa will ask for the token code for MFA device configured for user1. Then the temporary credentials will be stored for user1-mfa.
In order to use that temporary account with awscli, you need to set the AWS_PROFILE environment variable to user1-mfa and then invoke aws command normally, for example:
AWS_PROFILE=user1-mfa aws s3 ls s3://bucket-user1/