Keep your AWS credentials file up to date with MFA-carrying credentials https://github.com/TaktInc/aws-mfa-credentials
|Latest on Hackage:||0.1.0.0|
This package is not currently in any snapshots. If you're interested in using it, we recommend adding it to Stackage Nightly. Doing so will make builds more reliable, and allow stackage.org to host generated Haddocks.
Keep your AWS credentials file up to date with MFA-carrying temporary credentials
aws-mfa-credentials --mfa-serial-number SERIAL_NUMBER
See Locking protcol for important information about avoiding data loss!
From the API reference for GetSessionToken:
SerialNumber: The identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call. Specify this value if the IAM user has a policy that requires MFA authentication. The value is either the serial number for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials.
--duration DURATION_SECONDS The lifetime of the credentials. Defaults to AWS default (43200 at the time of this writing).
--profile PROFILE The name of the profile whose credentials we're managing. Defaults to 'default'.
--refresh-lead-time LEAD_SECONDS The amount of time before credential expiry to refresh the credentials. Defaults to 300.
PATH: A program named
ssh-askpass, accepting a prompt as an argument and outputting a password to stdout, must be available on the path.
HOME: The home directory containing the
aws-mfa-credentials will request an MFA code from the user using
ssh-askpass, request temporary credentials from Amazon, and update the credentials file with the temporary credentials.
The new credentials are placed into a profile named
PROFILE-mfa, e.g. when the
--profile flag is not given they are placed in
default-mfa. Use the
AWS_PROFILE environment variable or other profile-specifying mechanisms to use the credentials.
aws-mfa-credentials exits on any error, you may want to run it in a retry loop (with backoff).
To allow safe usage of multiple instances of
aws-mfa-credentials in parallel, a locking protocol is used for the credentials file: An exclusive fcntl lock is held on the file
$HOME/.aws/.credentials.lock when writing (and thus data read before the lock is obtained must be rechecked within the lock).
Unfortunately, the AWS cli and other tools do not respect this protocol. Therefore, if you are modifying the credentials file in any way besides
aws-mfa-credentials, you should either
stop any existing instances of
aws-mfa-credentials or obtain the lock yourself. Credential loss may occur if this is not followed!
Revision history for aws-mfa-credentials
0.1.0.0 -- 2017-05-19
- Initial release.