In this tutorial I will demonstrate How to enfornce 2FA in both AWS CLI and AWS Console. Later in the tutorial I will share a script to quickly authenticate with MFA and use generated token.
1. At first we will create a user who has only access to sts:AssumeRole
with MFA condition. We can create the user manually or with the following terraform script.
resource "aws_iam_user" "mfa_user" {
# path = "/user_path_if_necessary/"
name = "aws_cli_user"
}
data "aws_iam_policy_document" "sts_assume_role_policy_docuement" {
statement {
actions = ["sts:AssumeRole"]
resources = ["*"]
effect = "Allow"
condition {
test = "Bool"
values = ["true"]
variable = "aws:MultiFactorAuthPresent"
}
}
}
resource "aws_iam_policy" "sts_assume_role_policy" {
name = "sts_assume_role_policy"
policy = data.aws_iam_policy_document.sts_assume_role_policy_docuement.json
}
resource "aws_iam_policy_attachment" "sts_assume_role_policy_attachment" {
name = "sts_assume_role_policy_attachment"
policy_arn = aws_iam_policy.sts_assume_role_policy.arn
users = [aws_iam_user.mfa_user.name]
}
resource "aws_iam_access_key" "mfa_user_keys" {
user = aws_iam_user.mfa_user.name
}
resource "aws_iam_user_login_profile" "mfa_user_console_login_profile" {
user = aws_iam_user.mfa_user.name
}
2. You can get the credentials with the following output.tf
output file
output "mfa_user_access_key" {
value = aws_iam_access_key.mfa_user_keys.id
}
output "mfa_user_secret_key" {
value = aws_iam_access_key.mfa_user_keys.secret
sensitive = true
}
output "mfa_user_console_password" {
value = aws_iam_user_login_profile.mfa_user_console_login_profile.password
sensitive = true
}
3. Now Create a Virtual device for mfa_user
from AWS Console.
4. We will now create the role that will be assumed by the user. For the purpose of the tutorial I've attached an AWS managed Administrator policy with the role.
resource "aws_iam_role" "iam_admin_role_with_mfa_restriction" {
name = "admin_mfa"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::${var.aws_account_id}:root"
},
"Action" : "sts:AssumeRole",
"Condition" : {
"Bool" : {
"aws:MultiFactorAuthPresent" : "true"
}
}
}
]
})
managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
}
Now the user is ready, you can have a look at the full terraform code here
Lets jump into Part II of the tutorial where we will discuss about how to access aws using MFA.
Top comments (0)