管理aws mfa安全凭据
aws-mfa-spok的Python项目详细描述
aws mfa:使用多因素身份验证(mfa)时,可以轻松管理您的aws安全凭据
aws mfa在对aws帐户强制实施多因素身份验证(mfa)时,可以方便地管理aws sdk安全凭据。它自动从AWS Security Token Service获取临时凭据并更新AWS Credentials文件(位于~/.aws/credentials
)的过程。管理基于mfa的凭据的传统方法要求用户编写自己的定制脚本/包装器,以便从sts获取临时凭据,并且经常手动更新aws凭据文件。
aws mfa背后的概念是有两种凭证:
long-term
-典型的aws访问密钥,由AWS_ACCESS_KEY_ID
和AWS_SECRET_ACCESS_KEY
组成short-term
-由aws sts使用您的long-term
凭据以及您的mfa设备序列号(硬件设备序列号或虚拟设备arn)和一次性令牌代码生成的一组临时凭据。您的短期凭证是正在使用的aws sdk积极使用的凭证。
如果您还没有为aws api访问启用多因素身份验证,请查看AWS article。
安装:
选项1
$ pip install aws-mfa
选项2
1. Clone this repo 2. $ python setup.py install
凭据文件设置
在典型的aws凭据文件(位于~/.aws/credentials
)中,凭据存储在节中,由一对方括号表示:[]
。[default]
部分存储默认凭据。您可以使用不同的配置文件名存储多组凭据。如果未指定配置文件,则始终使用[default]
部分。
默认情况下,长期凭证部分由约定[<profile_name>-long-term]
标识,短期凭证由典型约定[<profile_name>]
标识。下面说明如何使用带有默认凭据的aws mfa配置凭据文件:
[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY
运行aws-mfa
后,您的凭据文件将读取:
[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[default]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>
类似地,如果使用名为development的凭据配置文件,则您的凭据文件将如下所示:
[development-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY
运行aws-mfa
后,您的凭据文件将读取:
[development-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>
可以通过使用--long-term-suffix
和
--short-term-suffix
命令行参数。例如,在多帐户方案中,可以有一个aws帐户
它为您的组织管理iam用户,并有其他aws帐户用于开发、登台和生产
环境。
在为每个环境运行一次aws-mfa
并为--short-term-suffix
设置不同的值之后,您的凭据
文件将读取:
[myorganization-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[myorganization-development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-staging]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-production]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>
这允许您访问多个环境,而无需每次切换时运行aws-mfa
环境。
如果您不喜欢a long-term后缀,可以通过为--long-term-suffix
传递值none
来省略它。
命令行参数。在为每个环境运行一次aws-mfa
之后,使用不同的
--short-term-suffix
,您的凭据文件将读取:
[myorganization]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[myorganization-development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-staging]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-production]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>
用法
--device arn:aws:iam::123456788990:mfa/dudeman
The MFA Device ARN. This value can also be provided
via the environment variable 'MFA_DEVICE' or the
~/.aws/credentials variable 'aws_mfa_device'.
--duration DURATION The duration, in seconds, that the temporary
credentials should remain valid. Minimum value: 900
(15 minutes). Maximum: 129600 (36 hours). Defaults to
43200 (12 hours), or 3600 (one hour) when using
'--assume-role'. This value can also be provided via
the environment variable 'MFA_STS_DURATION'.
--profile PROFILE If using profiles, specify the name here. The default
profile name is 'default'. The value can also be
provided via the environment variable 'AWS_PROFILE'.
--long-term-suffix LONG_TERM_SUFFIX
To identify the long term credential section by
[<profile_name>-LONG_TERM_SUFFIX]. Use 'none' to
identify the long term credential section by
[<profile_name>]. Omit to identify the long term
credential section by [<profile_name>-long-term].
--short-term-suffix SHORT_TERM_SUFFIX
To identify the short term credential section by
[<profile_name>-SHORT_TERM_SUFFIX]. Omit or use 'none'
to identify the short term credential section by
[<profile_name>].
--assume-role arn:aws:iam::123456788990:role/RoleName
The ARN of the AWS IAM Role you would like to assume,
if specified. This value can also be provided via the
environment variable 'MFA_ASSUME_ROLE'
--role-session-name ROLE_SESSION_NAME
Friendly session name required when using --assume-
role. By default, this is your local username.
参数优先级:命令行参数优先于环境变量。
用法示例
在运行任何使用aws sdk的脚本之前运行aws mfa。
使用命令行参数:
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman INFO - Using profile: default INFO - Your credentials have expired, renewing. Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456 INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00
使用环境变量:
exportMFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman $> aws-mfa --duration 1800 INFO - Using profile: default INFO - Your credentials have expired, renewing. Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456 INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00
exportMFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman exportMFA_STS_DURATION=1800 $> aws-mfa INFO - Using profile: default INFO - Your credentials have expired, renewing. Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456 INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00
凭证仍然有效时运行aws mfa的输出:
$> aws-mfa INFO - Using profile: default INFO - Your credentials are still valid for1541.791134 seconds they will expire at 2015-12-21 23:07:09
使用配置文件:(配置文件允许您引用不同的凭据集,可能针对不同的用户或不同的区域)
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development INFO - Using profile: development Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):666666 INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00
使用通过环境变量设置的配置文件AWS_PROFILE
:
$> exportAWS_PROFILE=development $> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman INFO - Using profile: development Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):666666 INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00
担任一个角色:
^{公关16}$假设角色:假设在配置中指定的角色long-term
[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEYassume_role=arn:aws:iam::123456788990:role/some-role
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --role-session-name some-role-session
使用配置文件担任角色:
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development --assume-role arn:aws:iam::123456788990:role/some-role --role-session-name some-role-session INFO - Validating credentials for profile: development with assumed role arn:aws:iam::123456788990:role/some-role INFO - Obtaining credentials for a new role or profile. Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456 INFO - Success! Your credentials will expire in 1800 seconds at: 2016-10-24 18:58:17+00:00
在多个帐户中担任一个角色,并且能够同时使用两个帐户(即生产和登台):
$> aws-mfa —profile myorganization --assume-role arn:aws:iam::222222222222:role/Administrator --short-term-suffix production --long-term-suffix none --role-session-name production INFO - Validating credentials for profile: myorganization-production with assumed role arn:aws:iam::222222222222:role/Administrator INFO - Your credentials have expired, renewing. Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me](renewing for3600 seconds):123456 INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:43+00:00 $> aws-mfa —profile myorganization --assume-role arn:aws:iam::333333333333:role/Administrator --short-term-suffix staging --long-term-suffix none --role-session-name staging INFO - Validating credentials for profile: myorganization-staging with assumed role arn:aws:iam::333333333333:role/Administrator INFO - Your credentials have expired, renewing. Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me](renewing for3600 seconds):123456 INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:44+00:00 $> aws s3 list-objects —bucket my-production-bucket —profile myorganization-production $> aws s3 list-objects —bucket my-staging-bucket —profile myorganization-staging