aws-mfa-spok 0.0.14

aws mfa：使用多因素身份验证（mfa）时，可以轻松管理您的aws安全凭据

aws mfa在对aws帐户强制实施多因素身份验证（mfa）时，可以方便地管理aws sdk安全凭据。它自动从AWS Security Token Service获取临时凭据并更新AWS Credentials文件（位于~/.aws/credentials）的过程。管理基于mfa的凭据的传统方法要求用户编写自己的定制脚本/包装器，以便从sts获取临时凭据，并且经常手动更新aws凭据文件。

aws mfa背后的概念是有两种凭证：

• long-term-典型的aws访问密钥，由AWS_ACCESS_KEY_ID和AWS_SECRET_ACCESS_KEY组成

• short-term-由aws sts使用您的long-term凭据以及您的mfa设备序列号（硬件设备序列号或虚拟设备arn）和一次性令牌代码生成的一组临时凭据。您的短期凭证是正在使用的aws sdk积极使用的凭证。

如果您还没有为aws api访问启用多因素身份验证，请查看AWS article。

安装：

选项1

$ pip install aws-mfa

选项2

1. Clone this repo
2. $ python setup.py install

凭据文件设置

在典型的aws凭据文件（位于~/.aws/credentials）中，凭据存储在节中，由一对方括号表示：[]。[default]部分存储默认凭据。您可以使用不同的配置文件名存储多组凭据。如果未指定配置文件，则始终使用[default]部分。

默认情况下，长期凭证部分由约定[<profile_name>-long-term]标识，短期凭证由典型约定[<profile_name>]标识。下面说明如何使用带有默认凭据的aws mfa配置凭据文件：

[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY

运行aws-mfa后，您的凭据文件将读取：

[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[default]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>

类似地，如果使用名为development的凭据配置文件，则您的凭据文件将如下所示：

[development-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY

运行aws-mfa后，您的凭据文件将读取：

[development-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>

可以通过使用--long-term-suffix和 --short-term-suffix命令行参数。例如，在多帐户方案中，可以有一个aws帐户 它为您的组织管理iam用户，并有其他aws帐户用于开发、登台和生产 环境。

在为每个环境运行一次aws-mfa并为--short-term-suffix设置不同的值之后，您的凭据 文件将读取：

[myorganization-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[myorganization-development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-staging]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-production]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>

这允许您访问多个环境，而无需每次切换时运行aws-mfa 环境。

如果您不喜欢a long-term后缀，可以通过为--long-term-suffix传递值none来省略它。 命令行参数。在为每个环境运行一次aws-mfa之后，使用不同的 --short-term-suffix，您的凭据文件将读取：

[myorganization]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[myorganization-development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-staging]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-production]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>

用法

--device arn:aws:iam::123456788990:mfa/dudeman
                        The MFA Device ARN. This value can also be provided
                        via the environment variable 'MFA_DEVICE' or the
                        ~/.aws/credentials variable 'aws_mfa_device'.
--duration DURATION     The duration, in seconds, that the temporary
                        credentials should remain valid. Minimum value: 900
                        (15 minutes). Maximum: 129600 (36 hours). Defaults to
                        43200 (12 hours), or 3600 (one hour) when using
                        '--assume-role'. This value can also be provided via
                        the environment variable 'MFA_STS_DURATION'.
--profile PROFILE       If using profiles, specify the name here. The default
                        profile name is 'default'. The value can also be
                        provided via the environment variable 'AWS_PROFILE'.
--long-term-suffix LONG_TERM_SUFFIX
                        To identify the long term credential section by
                        [<profile_name>-LONG_TERM_SUFFIX]. Use 'none' to
                        identify the long term credential section by
                        [<profile_name>]. Omit to identify the long term 
                        credential section by [<profile_name>-long-term].
--short-term-suffix SHORT_TERM_SUFFIX
                        To identify the short term credential section by
                        [<profile_name>-SHORT_TERM_SUFFIX]. Omit or use 'none'
                        to identify the short term credential section by
                        [<profile_name>].
--assume-role arn:aws:iam::123456788990:role/RoleName
                        The ARN of the AWS IAM Role you would like to assume,
                        if specified. This value can also be provided via the
                        environment variable 'MFA_ASSUME_ROLE'
--role-session-name ROLE_SESSION_NAME
                        Friendly session name required when using --assume-
                        role. By default, this is your local username.

参数优先级：命令行参数优先于环境变量。

用法示例

在运行任何使用aws sdk的脚本之前运行aws mfa。

使用命令行参数：

$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00

使用环境变量：

exportMFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
$> aws-mfa --duration 1800
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00

exportMFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
exportMFA_STS_DURATION=1800
$> aws-mfa
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00

凭证仍然有效时运行aws mfa的输出：

$> aws-mfa
INFO - Using profile: default
INFO - Your credentials are still valid for1541.791134 seconds they will expire at 2015-12-21 23:07:09

使用配置文件：（配置文件允许您引用不同的凭据集，可能针对不同的用户或不同的区域）

$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development
INFO - Using profile: development
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):666666
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00

使用通过环境变量设置的配置文件AWS_PROFILE：

$> exportAWS_PROFILE=development
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman
INFO - Using profile: development
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):666666
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00

担任一个角色：

[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEYassume_role=arn:aws:iam::123456788990:role/some-role

$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --role-session-name some-role-session

$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development --assume-role arn:aws:iam::123456788990:role/some-role --role-session-name some-role-session
INFO - Validating credentials for profile: development with assumed role arn:aws:iam::123456788990:role/some-role
INFO - Obtaining credentials for a new role or profile.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2016-10-24 18:58:17+00:00

$> aws-mfa —profile myorganization --assume-role arn:aws:iam::222222222222:role/Administrator --short-term-suffix production --long-term-suffix none --role-session-name production
INFO - Validating credentials for profile: myorganization-production with assumed role arn:aws:iam::222222222222:role/Administrator
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me](renewing for3600 seconds):123456
INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:43+00:00

$> aws-mfa —profile myorganization --assume-role arn:aws:iam::333333333333:role/Administrator --short-term-suffix staging --long-term-suffix none --role-session-name staging 
INFO - Validating credentials for profile: myorganization-staging with assumed role arn:aws:iam::333333333333:role/Administrator
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me](renewing for3600 seconds):123456
INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:44+00:00

$> aws s3 list-objects —bucket my-production-bucket —profile myorganization-production

$> aws s3 list-objects —bucket my-staging-bucket —profile myorganization-staging