AWS/IAM – CLI :- Multi-Factor Authentication

Background

If you happen to secure AWS Resources with Multi-Factor authentication, and you are working within the Command Line Interface, you do have bit of jumping on a trampoline to do.

Outline

  1. Multi-Factor Device – Review Settings
    • Check MFA Status
      • Is it MFA hardware device or is it Virtual
    • Get Device’s ARN
  2. Get Current Identity
  3. Issue and capture of “aws sts get-session-token
  4. Set Environment Variables based on Session Token
  5. Issue and capture results of “aws sts assume-role”
  6. Set Environment Variables based on Assumed Role
  7. Attempt to access resource

Processing

Multi-Factor Device – Review Settings

Outline

  1. Access IAM Console ( Link )
  2. Search for user
    • Enter username
  3. Select sought user
  4. User Summary Screen comes up
  5. Access “Security Credentials” Tab
  6. The “Security Credentials” tab appears
    • Note the following
      • Assigned MFA Device
      • Assign MFA Type
        • Virtual in our case

Images

Search for user

IAM.Users.searchUser.20181115.0421PM.PNG

User Summary

IAM.Users.user.Summary.20181115.0423PM.PNG

User – Security Credentials

IAM.Users.user.SecurityCredentials.20181115.0426PM.PNG

Data Set
  1. Assigned MFA device
    • arn:aws:iam::[ID]:mfa/[account-id] (Virtual) | Manage
      • id
      • Virtual

Get Current Identity

Outline

Code


aws sts get-caller-identity

Output

Output – Image

sts.getCallerIdentity.20181120.0743PM

Output – Textual


>aws sts get-caller-identity
{
"UserId": "AID",
"Account": "22",
"Arn": "arn:aws:iam::22:user/dadeniji"
}

Issue & Capture Output of “sts get-session-token

Outline

  1. Issue sts get-session-token
  2. Capture output

Code


setlocal

REM How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
REM https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

REM Assigned MFA device
REM Is it an MFA hardware device or is it Virtual
rem set _ARNUser = arn:aws:iam::userid:user/awsauth/dadeniji
set _userid=11101
set _ARNmfa=arn:aws:iam::%_userid%:mfa/dadeniji

set _durationInSeconds=129600

REM **********************************************************************************
REAM Read token from device -- cellphone etc
REM **********************************************************************************
set _codeFromToken=506694

rem aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

aws sts get-session-token --serial-number %_ARNmfa% --duration-seconds %_durationInSeconds% --token-code %_codeFromToken% 

endlocal

Output

sts.get-session-token.20181115.0439PM.PNG

Explanation

Please capture the output :-

  1. Credentials
    • AccessKeyId
    • SecretAccessKey
    • SessionToken

Set Session Token – Self

Outline

  1. Set Environment Variables for Self Token

Code


set AWS_ACCESS_KEY_ID=ANTELOPE
set AWS_SECRET_ACCESS_KEY=SAK
set AWS_SESSION_TOKEN=Patti

Assume Role

Outline

  1. aws sts assume-role

Code

Syntax


aws sts assume-role --role-arn=[iam-role] --role-session-name [rolename]

Sample


setlocal

set "_IAMrole=arn:aws:iam::061711:role/housekeeper"
set "_rolename=housekeeper"

aws sts assume-role --role-arn=%_IAMrole% --role-session-name %_rolename%

endlocal

Output

image_assumeRole.01.20181120.0548PM

 

 

Set Session Token – Assumed Role

Outline

  1. Set Environment Variables for Role Token

Code


set AWS_ACCESS_KEY_ID=ANTELOPE
set AWS_SECRET_ACCESS_KEY=SAK
set AWS_SESSION_TOKEN=Patti

Get Current Identity

Outline

Code


aws sts get-caller-identity

Output

Output – Image

image_getCallerIdentity.AssumeRole.Post.01.brushedup.20181120.0552PM.png

Output – Textual


aws sts get-caller-identity
{
"UserId": "AID",
"Account": "22",
"Arn": "arn:aws:sts::22:assumed-role/dba"
}

Access Resource

Outline

  1. Access Resource
    • Access S3 bucket
    • Access RDS DB Resource

Sample

Sample – S3 Bucket

Code
aws s3 ls --profile savanna

Output

request.S3.20181115.0452PM.PNG

 

References

  1. Amazon
    • AWS
      • CLI
        • MFA
          • How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
            Link
      • Directory Services
        • To establish a trust relationship for an existing role to AWS Directory Service
          Link
      • Granting a User Permissions to Switch Roles
        • id_roles_use_permissions-to-switchLink

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s