A cross-platform CLI tool to easily manage AWS credentials for MFA-enabled accounts. mfaws talks to the AWS Security Token Service API and allows you to obtain temporary credentials using your AWS access key, AWS secret key and MFA device.
Supported STS operations:
- AssumeRole
- GetSessionToken
mfaws is heavily inspired by aws-mfa
, with a few key differences:
- Assume multiple short-term profiles for a single long-term profile
- A single native binary - no dependency on Python
- Pass the one-time password (OTP) as a flag argument
- Option to set the STS service endpoint
- Utility commands to manage short-term profiles
If you're migrating and curious, read the section about the differences: Migrating from aws-mfa
: What's different?
mfaws is available for Windows, MacOs and Linux.
- Via cargo:
cargo install mfaws
- From GitHub:
- Download the latest binary from the release page
- Extract it
- Add it to your
PATH
Let's assume you have the following AWS credentials file in ~/.aws/credentials
. It has a single long-term profile, dev
, which can be used to generate short-term profiles. Short-term profiles are identified by the -short-term
suffix (or a custom one that you provide). Short-term profiles are generated automatically and should not be fiddled with manually.
[dev]
aws_access_key_id=AKMB6EHIO4AB9FRYI37
aws_secret_access_key=qAnFonnuEUqp
- You can set
aws_mfa_device=[MFA DEVICE ARN]
in your AWS credentials profile so you don't have to pass it as a flag every time - If you don't specify a profile name with
--profile
, the app looks for the profile nameddefault
- Get a temporary session token for profile
dev
:
mfaws session-token \
--profile dev \
--device arn:aws:iam::3687901:mfa/my-mfa-device
mfaws automatically generates and adds the following short-term profile to your AWS credentials file:
[dev]
aws_access_key_id=AKMB6EHIO4AB9FRYI37
aws_secret_access_key=qAnFonnuEUqp
[dev-short-term]
expiration=2023-04-05T21:57:52Z
aws_access_key_id=ASIAVMB6EHIOYTGUOE7T
aws_secret_access_key=E6HGxHXHb2hqP3az+UMThIjWGVsdKH3pG1h67FxR
aws_session_token=IQoJb3JpZ2luX2VjECoaCXVzLWVhc3QtMSJHMEUCIDSFI50`
- Assume a role for profile
dev
, pass the otp as an argument and use regioneu-central-2
:
mfaws assume-role \
--profile dev \
--role-arn arn:aws:iam::6823sdf5:role/admin \
--device arn:aws:iam::3687901:mfa/my-mfa-device \
--otp 123456 \
--sts-region eu-central-2
Now, your AWS config file looks like this:
[dev]
aws_access_key_id=AKMB6EHIO4AB9FRYI37
aws_secret_access_key=qAnFonnuEUqp
[dev_6823sdf5-role-admin-mfa-user_short-term]
assumed_role_arn=arn:aws:iam::6823sdf5:role/admin
assumed_role_id=AROAZ5XVG55QR3R2:mfa-user
expiration=2023-04-05T11:02:10Z
aws_access_key_id=ASINQT6HE6ZCS
aws_secret_access_key=iqVoWOI8+l6WVBn8pdCc/JxJ6
aws_session_token=IQoJb3JpZ2luXS4VhObxKg6p79Pm38C4ahGqcGKw==
Whenever you run an operation, mfaws checks your existing short-term profiles to see if there is still a valid (i.e., not yet expired) profile around. If that is the case, the operation is gracefully aborted and you'll be notified. You can also force new credentials by passing the --force
flag.
I recommended creating bash aliases for any of these operations and then set the AWS_PROFILE
environment variable to the name of the genreated profile.
E.g., for bash:
alias mfa-admin="mfaws assume-role --profile dev --role-arn arn:aws:iam::6823sdf5:role/admin && export AWS_PROFILE=default_6823sdf5-role-admin-mfa-user_short-term"
You might want to run it manually the first time to see what name is generated for your short-term profile. It's a combination of the assumed role and role name.
In your terminal, run mfaws help
to see all (sub)commands and their usage:
A CLI tool to manage AWS credentials for MFA-enabled accounts
Usage: mfaws [OPTIONS] <COMMAND>
Commands:
assume-role Temporary credentials for an assumed AWS IAM Role
session-token Temporary credentials for an AWS IAM user
clean Remove short-time profiles from your credentials file
list List profiles in your credentials file
help Print this message or the help of the given subcommand(s)
Options:
--credentials-path <CREDENTIALS_PATH>
Location of the AWS credentials file. Can be a relative path from your home directory or an absolute path to the file [env: AWS_SHARED_CREDENTIALS_FILE=] [default: .aws/credentials]
-h, --help
Print help
-V, --version
Print version
mfaws allows you to customize many things, including the duration of the temporary credentials, the short-term suffix that is used to generate short-term profiles or the path to the credentials file. Many values can also be read from the corresponding environment variables.
mfaws assume-role --help
Temporary credentials for an assumed AWS IAM Role
Usage: mfaws assume-role [OPTIONS] --role-arn <ROLE_ARN>
Options:
--role-arn <ROLE_ARN>
The ARN of the AWS IAM Role you want to assume [env: AWS_ROLE_ARN=]
--role-session-name <ROLE_NAME>
Custom friendly session name when assuming a role [env: AWS_ROLE_SESSION_NAME=] [default: mfa-user]
--profile <PROFILE_NAME>
The AWS credentials profile to use [env: AWS_PROFILE=] [default: default]
--device <MFA_DEVICE>
The MFA Device ARN [env: MFA_DEVICE=]
--credentials-path <CREDENTIALS_PATH>
Location of the AWS credentials file. Can be a relative path from your home directory or an absolute path to the file [env: AWS_SHARED_CREDENTIALS_FILE=] [default: .aws/credentials]
--otp <OTP>
The one-time password from your MFA device
--duration <DURATION>
The duration, in seconds, for which the temporary credentials should remain valid [env: MFA_DURATION=]
--short-term-suffix <SHORT_TERM_SUFFIX>
To identify the auto-generated short-term credential profile [default: short-term]
--force
Force the creation of a new short-term profile even if one already exists
--sts-region <STS_REGION>
The STS region to use for the AWS client [default: us-east-1]
-h, --help
Print help
mfaws session-token --help
Temporary credentials for an AWS IAM user
Usage: mfaws session-token [OPTIONS]
Options:
--profile <PROFILE_NAME>
The AWS credentials profile to use [env: AWS_PROFILE=] [default: default]
--device <MFA_DEVICE>
The MFA Device ARN [env: MFA_DEVICE=]
--otp <OTP>
The one-time password from your MFA device
--duration <DURATION>
The duration, in seconds, for which the temporary credentials should remain valid [env: MFA_DURATION=]
--credentials-path <CREDENTIALS_PATH>
Location of the AWS credentials file. Can be a relative path from your home directory or an absolute path to the file [env: AWS_SHARED_CREDENTIALS_FILE=] [default: .aws/credentials]
--short-term-suffix <SHORT_TERM_SUFFIX>
To identify the auto-generated short-term credential profile [default: short-term]
--force
Force the creation of a new short-term profile even if one already exists
--sts-region <STS_REGION>
The STS region to use for the AWS client [default: us-east-1]
-h, --help
Print help
mfaws clean --help
Remove short-time profiles from your credentials file
Usage: mfaws clean [OPTIONS]
Options:
--short-term-suffix <SHORT_TERM_SUFFIX>
To identify the short-term credential profiles [default: short-term]
--credentials-path <CREDENTIALS_PATH>
Location of the AWS credentials file. Can be a relative path from your home directory or an absolute path to the file [env: AWS_SHARED_CREDENTIALS_FILE=] [default: .aws/credentials]
-h, --help
Print help
mfaws list --help
List profiles in your credentials file
Usage: mfaws list [OPTIONS]
Options:
--credentials-path <CREDENTIALS_PATH>
Location of the AWS credentials file. Can be a relative path from your home directory or an absolute path to the file [env: AWS_SHARED_CREDENTIALS_FILE=] [default: .aws/credentials]
-h, --help
Print help
In most cases, you will not have to speficy the STS endpoint to retrieve temporary credentials. The default region is us-east-1
. If you need to use a different region, you can set the --sts-region
flag with a regional endpoint identifier (not URL). Note that the region configured in ./aws/config
is not used.
- By default, all profiles are considered long-term profiles unless they end with the short term suffix set by
--short-term-suffix [SUFFIX]
. There is no such thing as an explicit long-term suffix (hence, also no--long-term-suffix
flag) - Unlike
aws-mfa
, where actions (AssumeRole/GetSessionToken) are implicitly given by the presence of the--assume-role
flag, mfaws has dedicated sub-commands for each operation --assume-role
is--role-arn
--role-session-name [NAME]
does not use the login name of your user by default but the static stringmfa-user
- Some environment variables have different names
General feedback, bugfixes and feature ideas are very welcome! Please open an issue first.