AWS Cli using role assumption and MFA

I wanted to setup cli to access different roles with master AWS login that had MFA enabled. I found articles to setup MFA or do role assumption but not both. This is my attempt to combine some of the solutions out there for MFA and role assumption.

Thanks Stephan Harris for https://github.com/sweharris/aws-cli-mfa/blob/master/get-aws-creds

Multiple AWS accounts

Having multiple AWS accounts to handle different needs of the organization has become the preferred method to work in AWS.
Some advantages to having separate accounts for tools, dev, prod, staging.

• Separation of resources. There is no accidental updates to production.
• Can enforce different resource limits on each account.
• Billing becomes simpler and clearer.

Accessing multiple accounts:

There are two ways to manage multiple accounts for each user.

• Separate logins of each account which is a lot of users and logins to manage.
• One login for a primary account and use a concept called Role Assumption to access the related AWS accounts using roles.

Assuming role means the AWS token service will give you temporary credentials to access the account with an assumed role. Your master user should have the right Trust relationship configuration to assume the role being requested.

• More information on AWS Role Assumption

Increasing security with MFA

Whether you use one AWS account or use multiple aws accounts and access them via roles, aws recommends enabling multi factor authentication for increased security.
We can use hardware, text or virtual MFA devices like google authenticator app as a second layer of security other than the login credentials.

• Aws Guide to enable MFA

Setting up browser extension to access multiple accounts

• Open chrome and log in to the primary account with credentials and mfa
• Install the chrome extension AWS Extend Switch Roles
• Once installed, click the extension and select configuration to setup config in ~/.aws/config format.

example:

    [dev]
    aws_account_id = 210987654321
    role_name = Developer
    source_profile = default
    color = ffff00

    [uat]
    aws_account_id = 123456789012
    role_name = Developer
    source_profile = default
    color = ff00ff

    [prod]
    aws_account_id = 098765432132
    role_name = Developer
    source_profile = default
    color = ff0000

• Refresh the browser and now we can switch accounts in the browser by simply clicking on the account alias/number on the top left.

Accessing multiple accounts with MFA via CLI

Let's understand the files that are used by aws cli.

• ~/.aws/config - has profiles and default values for profiles
• ~/.aws/configure - has aws_access_key_id and aws_secret_access_key for each profile. Aws cli checks environment and then the configure file for the key and access.

Setting up the default user

Both files have a default entry which is your master account login keys.

• Configure default user.

Role assumption using MFA base profile

We are going to use config and credential files to authenticate the right role using role assumption.

• Copy get-aws-creds.sh to ~/.aws/get-aws-creds.sh

• We gonna use a slightly altered version of the config file we used for browser. Notice that the role need to be an arn and we changed the source_profile to mfa and not default

  Sample ~/.aws/config file
  

    [profile dev]
    region = us-east-1
    role_arn = arn:aws:iam::<account_number>:role/Developer
    source_profile = mfa

    [profile uat]
    region = us-east-1
    role_arn = arn:aws:iam::<account_number>:role/Developer
    source_profile = mfa

    [profile prod]
    region = us-east-1
    role_arn = arn:aws:iam::<account_number>:role/Developer
    source_profile = mfa

• set an alias alias mfa=~/.aws/get-aws-creds.sh

We are done. Now we can use command mfa to set the token for the default user.

$ » mfa
You are: yloganathan
Your MFA device is: arn:aws:iam::--redacted--:mfa/yloganathan
Enter your MFA code now: 468114
Removing old mfa setting
Push new mfa token, key, id to credentials
AWS_SESSION_TOKEN=FQoGZXIvYXdzEMD//////////wEaDBYMaD/jCVsms7LcZCKwAb55t+hRUevOscgmhO1kPsFIRC2lUjZL9L3V2iSSo8pyUQay8GnvRw/PrMQp/XSJhoIkiOmnnq/+GH7Id7DhiTR0R2+tv+d6onYhOmSoLg2NnBbk6J038DHANz8JKsCrXIoSxsdfserfuVJrqECTSLdi+EsF1OnF+nZGCPxVJmWETWaQFZ4lYD2VqmMP68GuIzw4y1p9kpYQkkcEZ8jIh8dzS5m88OYTxNKJve4OYF
AWS_SECRET_ACCESS_KEY=yrhWWewKa63048GF84u/OPqweERAw+iyQcMYgXKF
AWS_ACCESS_KEY_ID=ASIAT7ADEFZVLJWNKRKFL
Keys valid until 2019-05-11T02:35:07Z

We can access different aws accounts using the --profile option.

$ » aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

$ » aws s3 ls --profile dev
2019-04-08 13:17:00 cf-custom-resource-dev-somebucket-19qgbsjff4jw1
2019-02-01 15:04:28 cf-templates-1lguyp5t2xsbe-us-east-1
2019-02-28 16:13:41 cf-templates-1lguyp5t2xsbe-us-west-2

I would like to hear how you access assumed roles with MFA from aws cli.