Repository files navigation

If you have anMFA-enabled account on Amazon AWS, you need to refresh the token periodically, in order to useaws cli toolkit.

The sequence of actions is:

• using the primary AWS account, request thelist of MFA devices configured for this account
• issue an STS request toget the session token
• update the~/.aws/credentials file with the received access key, secret key and session token for the given profile

This simple flow is implemented as Go utility, that only updates the existing profile in the~/.aws/credentials with the access/secret/session tokens.

There is another utilityawsmfa with extended functionality for AWS key management / rotation.

Usage of ./go-aws-mfa:  -d string        MFA-enabled profile  -s string        Source (primary) profile

where

• -s specifies the IAM role that has anMFA device configured
• -d specifies the target profile to add/replace the credentials to.

./go-aws-mfa -s user1 -d user1-mfa will ask for the token code for MFA device configured foruser1. Then the temporary credentials will be stored foruser1-mfa.In order to use that temporary account withawscli, you need to set theAWS_PROFILE environment variable touser1-mfa and then invokeaws command normally, for example:

AWS_PROFILE=user1-mfa aws s3 ls s3://bucket-user1/