AWS/IAM – CLI :- Multi-Factor Authentication

Background

If you happen to secure AWS Resources with Multi-Factor authentication, and you are working within the Command Line Interface, you do have bit of jumping on a trampoline to do.

Outline

  1. Multi-Factor Device – Review Settings
    • Check MFA Status
      • Is it MFA hardware device or is it Virtual
    • Get Device’s ARN
  2. Get Current Identity
  3. Issue and capture of “aws sts get-session-token
  4. Set Environment Variables based on Session Token
  5. Issue and capture results of “aws sts assume-role”
  6. Set Environment Variables based on Assumed Role
  7. Attempt to access resource

Processing

Multi-Factor Device – Review Settings

Outline

  1. Access IAM Console ( Link )
  2. Search for user
    • Enter username
  3. Select sought user
  4. User Summary Screen comes up
  5. Access “Security Credentials” Tab
  6. The “Security Credentials” tab appears
    • Note the following
      • Assigned MFA Device
      • Assign MFA Type
        • Virtual in our case

Images

Search for user

IAM.Users.searchUser.20181115.0421PM.PNG

User Summary

IAM.Users.user.Summary.20181115.0423PM.PNG

User – Security Credentials

IAM.Users.user.SecurityCredentials.20181115.0426PM.PNG

Data Set
  1. Assigned MFA device
    • arn:aws:iam::[ID]:mfa/[account-id] (Virtual) | Manage
      • id
      • Virtual

Get Current Identity

Outline

Code


aws sts get-caller-identity

Output

Output – Image

sts.getCallerIdentity.20181120.0743PM

Output – Textual


>aws sts get-caller-identity
{
"UserId": "AID",
"Account": "22",
"Arn": "arn:aws:iam::22:user/dadeniji"
}

Issue & Capture Output of “sts get-session-token

Outline

  1. Issue sts get-session-token
  2. Capture output

Code


setlocal

REM How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
REM https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

REM Assigned MFA device
REM Is it an MFA hardware device or is it Virtual
rem set _ARNUser = arn:aws:iam::userid:user/awsauth/dadeniji
set _userid=11101
set _ARNmfa=arn:aws:iam::%_userid%:mfa/dadeniji

set _durationInSeconds=129600

REM **********************************************************************************
REAM Read token from device -- cellphone etc
REM **********************************************************************************
set _codeFromToken=506694

rem aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

aws sts get-session-token --serial-number %_ARNmfa% --duration-seconds %_durationInSeconds% --token-code %_codeFromToken% 

endlocal

Output

sts.get-session-token.20181115.0439PM.PNG

Explanation

Please capture the output :-

  1. Credentials
    • AccessKeyId
    • SecretAccessKey
    • SessionToken

Set Session Token – Self

Outline

  1. Set Environment Variables for Self Token

Code


set AWS_ACCESS_KEY_ID=ANTELOPE
set AWS_SECRET_ACCESS_KEY=SAK
set AWS_SESSION_TOKEN=Patti

Assume Role

Outline

  1. aws sts assume-role

Code

Syntax


aws sts assume-role --role-arn=[iam-role] --role-session-name [rolename]

Sample


setlocal

set "_IAMrole=arn:aws:iam::061711:role/housekeeper"
set "_rolename=housekeeper"

aws sts assume-role --role-arn=%_IAMrole% --role-session-name %_rolename%

endlocal

Output

image_assumeRole.01.20181120.0548PM

 

 

Set Session Token – Assumed Role

Outline

  1. Set Environment Variables for Role Token

Code


set AWS_ACCESS_KEY_ID=ANTELOPE
set AWS_SECRET_ACCESS_KEY=SAK
set AWS_SESSION_TOKEN=Patti

Get Current Identity

Outline

Code


aws sts get-caller-identity

Output

Output – Image

image_getCallerIdentity.AssumeRole.Post.01.brushedup.20181120.0552PM.png

Output – Textual


aws sts get-caller-identity
{
"UserId": "AID",
"Account": "22",
"Arn": "arn:aws:sts::22:assumed-role/dba"
}

Access Resource

Outline

  1. Access Resource
    • Access S3 bucket
    • Access RDS DB Resource

Sample

Sample – S3 Bucket

Code
aws s3 ls --profile savanna

Output

request.S3.20181115.0452PM.PNG

 

References

  1. Amazon
    • AWS
      • CLI
        • MFA
          • How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
            Link
      • Directory Services
        • To establish a trust relationship for an existing role to AWS Directory Service
          Link
      • Granting a User Permissions to Switch Roles
        • id_roles_use_permissions-to-switchLink

AWS – Access Key & Security Key

 

Background

As the AWS Ecosystem continues to grow it’s security authentication mechanisms continues to swell, as well.

 

Our Instance

Unfortunately various services need various authentication pathways.

For instance, own own implementation requires:

  1. User credentials
    • Multi-factor Authentication
  2. IAM Roles

 

Need

Here I am trying to use a tool and it is asking me for the “AWS access key” and “AWS secret key

app_AccessKey_20180606_0729PM [brushedup].png

 

Process

To review or get a new Access Key and Security key, please do the following:

Outline

  1. Launch browser
  2. Connect to IAM
    • Generic
      • IAM Home Page
        Link
    • Region
      • Region :- US West
        Link
  3. Click on the Users hyperlink
    • In case, you do not see your users
      • Please make sure that you are in right Region
      • Also make sure that you are not switched into Role
  4. Access the “Security Credentials” tab
  5. Review the listed “Access Keys
    • In my case did not have Access Keys listed
  6. Created Accessed Key
    • Clicked on the “Create Access key” button
    • Access Keys was generated
      • Noted the Access Key ID & Secret Access Key
      • Downloaded the csv file which contains the generate Key

 

Screen Shot

IAM Management Console

Welcome

welcome_20180606_0748PM.png

Users ( Switched to role )

users_role_20180606_1100PM [brushedup].png

Users ( As Self )

users_user_20180607_0914AM.png

Users – [Username] – Security Credentials

SignInCredentials_AccessKeys_20180606_0333PM.png

Create(d) access key

CreateAccessKey_20180606 (brushedup).png

 

Crediting

Crediting BitTitan …

BitTitan :- How do I get an access key for Amazon S3?
Link