How to use aws-mfa-v2
to avoid entering so many MFA tokens
Prior to being told about aws-mfa-v2
my ~/.aws/config
file looked like this:
[profile parent-account]
region = eu-west-1
[profile child-account]
mfa_serial = arn:aws:iam::$PARENT_AWS_ACCOUNT_ID:mfa/$USERNAME
role_arn = arn:aws:iam::$CHILD_AWS_ACCOUNT_ID:role/$ROLE_NAME
region = eu-west-1
source_profile = parent-account
which worked fine but meant awscli
calls using the child-account
profile
prompted for an MFA token. Over the course of a day I would look up a token many
times.
But following a tip from James Tunnicliffe I
greatly reduced how often I need to do this by using the aws-mfa-v2
utility.
This uses your long-lived AWS account to create temporary profiles with
credentials fetched from AWS STS.
In practice, this requires you to run:
aws-mfa --mfa-profile parent-account --token $TOKEN
once a day to create/update a temporary AWS profile (called, in this example,
parent-account-mfa
).
Plus I needed to rearrange ~/.aws/config
to have this structure:
[profile parent-account]
region = eu-west-1
mfa_serial = arn:aws:iam::$PARENT_AWS_ACCOUNT_ID:mfa/$USERNAME
[profile child-account]
role_arn = arn:aws:iam::$CHILD_AWS_ACCOUNT_ID:role/$ROLE_NAME
region = eu-west-1
source_profile = parent-account-mfa
Note the updated source_profile
value that refers to a profile only defined in
~/.aws/credentials
.