This package provides a utility to make using multi-factor authentication easier with the aws-cli.

This package depends on aws-cli and jq.

This should be compatible with phone authenticator apps as well as physical security keys. It has been tested with Google Authenticator and a Yubikey 5C.

MacOS: Install using homebrew

$ brew tap razrmarketing/aws-cli-mfa [email protected]:razrmarketing/aws-cli-mfa.git
$ brew install aws-cli-mfa

Manual installation: Install the prerequisites, place the aws-mfa.sh script somewhere in your PATH and mark it as executable.

Before you can use this tool you must configure your aws-cli with a default profile. You can simply follow the AWS Quick configuration guide.

Simply run the aws-mfa command. It will pull the first MFA device on your user profile and ask for an MFA code. Provide the code from your authenticator app, or touch/press the button on your security key.

$ aws-mfa
Using MFA device: arn:aws:iam::111111111111:mfa/username
Enter MFA code: ******
Getting session token
Configuring credentials for profile mfa

Done.

Ths first time, this will create a new AWS profile in your ~/.aws/credentials file named mfa. When your session expires (12 hours by default) you can run the command again and the profile will be updated.

aws-mfa
[--duration-seconds <value>]
[--serial-number <value>]
[--profile <value>]

--duration-seconds (integer)

The duration, in seconds, your session lasts. See AWS Documentation.

--serial-number (string)

The MFA device serial number or ARN. See AWS Documentation.

--profile (string)

The name of the AWS profile you want to use. Defaults to mfa.

If you have multiple profiles set up in order to use different roles, etc, you should update your ~/.aws/config to specify mfa as the source_profile for any profile the requires MFA.