One main problem that teams face when enforcing MFA device authentication while working with AWS CLI profiles is there are no official stream-lined tool, or tools, to manage your temporary credential sessions easily.
Instead of piecing together some bash, or shell, script to manage and do the magic behind the scenes to authenticate with your credentials, then get the new temporary credentials and save them to your existing file, create a new config/credentials file, or however you might your flow look. This tool is designed to be a single binary that will enable you to create, list, authenticate and generally manage your AWS profiles.
As a side note -- to understand the general flow of how to do this natively with the AWS CLI check out this AWS support article.
To install awsctl checkout the releases
page to find the latest download for your operating system.
To get started with awsctl you will need to ensure you have an AWS IAM account
already setup with an MFA device. For more information about checking your MFA
status checkout the AWS docs.
To create a new MFA profile with awsctl you simply grab your access key
credentials from your account, as well as your Assigned MFA device.
You will need to use these when you generate a new AWS profile with awsctl.
Example interactive creation process --
$ awsctl new example
[?] Enter the AWS region you want to save:
us-east-1
[?] Enter your MFA serial number for your IAM user:
arn:aws:iam::123456789012:mfa/cowboy
[?] Enter your generated access key ID:
********************
[?] Enter your generated secret access key:
****************************************
[ℹ] Working on your new AWS profile: example
[✔] Successfully saved new config and credentials for profile: example.
[✈] Start using your new profile: awsctl auth --helpWhen you need to authenticate and create a new temporary session for our AWS CLI
interactions. We leverage the streamlined functionality in awsctl new command.
Example authentication process --
$ awsctl auth --profile cowboy --duration 129000 --token 639959
[ℹ] Attempting to authenticate with credentials for profile: cowboy.
[✔] Successfully created a MFA authenticated session for profile: cowboy.
[✈] Activate your MFA profile: export AWS_PROFILE=cowboy_mfaWhen you want to see what AWS profiles you have on your local machine already
you can utilize the command awsctl list command.
Example listing of profiles --
$ awsctl list
+--------------------+--------------------------------------+-----------+
| PROFILE | MFA DEVICE SERIAL ARN | REGION |
+--------------------+--------------------------------------+-----------+
| profile cowboy | arn:aws:iam::123456789012:mfa/cowboy | us-east-1 |
| profile cowboy_mfa | | us-east-1 |
+--------------------+--------------------------------------+-----------+