Skip to content

Latest commit

 

History

History
105 lines (79 loc) · 3.07 KB

set-aws-mfa-credentials.md

File metadata and controls

105 lines (79 loc) · 3.07 KB

How to set AWS multi-factor authentication (MFA) credentials

Pre-test

In a pre-test, verify that EC2 cannot be launched without multi-factor authentication.

  1. ✏️ Specify an AWS AMI to launch. Example:

    export AWS_IMAGE_ID=ami-0d592b9373fad0e2c

  2. ✏️ Identify the key pair to be used with the running image. See AWS Console EC2 Key pairs. Example:

    export SENZING_AWS_KEYPAIR=aws-default-key-pair

  3. Try launching the image. NOTE: As a pre-test, this should fail. Example:

    aws ec2 run-instances \
  --image-id ${AWS_IMAGE_ID} \
  --count 1 \
  --instance-type t2.micro \
  --key-name ${SENZING_AWS_KEYPAIR}

  4. Verify EC2 is not running.

    1. AWS EC2 console

Obtain AWS session credentials

  1. ✏️ Identify the AWS multi-factor authentication serial number for the device supplying the MFA token. Registered devices can be found at AWS My security credentials Example:

    export AWS_MFA_SERIAL_NUMBER="arn:aws:iam::nnnnnnnnnnnn:mfa/xxxxxxxx"

  2. ✏️ Get MFA token from the device supplying the MFA token. Note: This token is short lived; perhaps only one minute duration. So the step performed after this step must be performed immediately afterwards to use a valid token value. Example:

    export AWS_MFA_TOKEN_CODE=nnnnnn

  3. Get session information from AWS and place into ~/aws-sts-get-session-token.json file. Example:

    aws sts get-session-token \
  --serial-number ${AWS_MFA_SERIAL_NUMBER} \
  --token-code ${AWS_MFA_TOKEN_CODE} \
  > ~/aws-sts-get-session-token.json

  4. Parse values out of AWS session information and place in environment variables. Example:

    export AWS_ACCESS_KEY_ID=$(jq --raw-output ".Credentials.AccessKeyId" ~/aws-sts-get-session-token.json)
export AWS_SECRET_ACCESS_KEY=$(jq --raw-output ".Credentials.SecretAccessKey" ~/aws-sts-get-session-token.json)
export AWS_SESSION_TOKEN=$(jq --raw-output ".Credentials.SessionToken" ~/aws-sts-get-session-token.json)

  5. 🤔 Optional: View expiration time of AWS session. Example:

    echo "AWS token expires: $(jq --raw-output ".Credentials.Expiration" ~/aws-sts-get-session-token.json)"

  6. 🤔 Optional: View AWS session token. Example:

    echo ${AWS_SESSION_TOKEN}

Launch EC2

  1. ✏️ Launch EC2. This should now work because environment variables contain credentials for authentication. Example:

    aws ec2 run-instances \
  --image-id ${AWS_IMAGE_ID} \
  --count 1 \
  --instance-type t2.micro \
  --key-name ${SENZING_AWS_KEYPAIR}

  2. Verify EC2 is running.

    1. AWS EC2 console