Using MFA enabled AWS accounts & CLI
TD;LR
Simplify your life when using MFA-enabled accounts with AWS profiles by installing this command-line tool.
Install awsmfa from npm or fork the project on GitHub.
Managing MFA credentials
Enforcing multi-factor authentication (MFA) on AWS accounts is a security best practice that can provide some usability hurdles for engineers that rely on the SDK and AWS command line tools to get work done.
The typical workflow for working with MFA-enabled accounts is to request a temporary session using the AWS STS service. The STS service will then return a session token which includes temporary credentials as well as a session token. Depending on the use case these data can then be used either in a profile definition, environment variables or as arguments to call AWS Apis that require MFA.
However, it is a complete BITCH of a process.
To strike a balance between security best practices and ease of use it is best to take advantage of some tooling.
There are various tools available to ease this process including awsmfa.
Why, build yet another tool?
Now, I know that there are several tools available in a range of languages that address the issue of working with MFA-enabled AWS accounts.
However, I specifically needed a tool that we could install using NPM. Furthermore, I wanted flexibility for automation, and my final requirement was the ability to have an interactive mode for humans.
Making up the above wishlist, was my excuse to satisfy my curiosity about the effort required to build a CLI command with Typescript, that could be installed using NPM.
Besides, I love coding and this little project was a fun Friday night accompanied by the awesome Charlotte de Witte.
What problem does it solve?
The catalyst for the project was the inability to authenticate using an MFA-enabled account when running a project inside of the "Serverless Offline" framework.
I also needed a tool that would work with multiple AWS Accounts, supported a flow reliant on Assuming Roles, that I could further control with Bash and provided the flexibility to prompt for input of an MFA Token. Good Times!
After, a night's mad coding and a morning of debugging I'm happy to share "awsmfa" with you.
The command line tool will authenticate with a profile of your choosing (defaults to "default"), prompt for your MFA token and writes the temporary session back to your "credentials" file under a name of your choosing (defaults to "mfa").
Using a "named" profile has proven to be the most reliable mechanism for authenticating where you are using multiple programming languages, containers, virtual machines and run times.
For more information and installation check awsmfa on npm.js
Happy Coding!
Marcel 😎👍
one more thing ...
Based on completing this mini project I also made available a boiler plate template that you can use to quickly boot strap a project for building your own NODE CLI command with typescript. That sounds like an Upcoming YouTube Video.