- Clone this repo
- cd to this folder
- git submodule init
- git submodule update
- git pull
- git submodule foreach git pull origin master
Because MFA-protected API access is currently not convenient to use for CLI users, iSEC wrote several tools to help management of MFA-related credentials. These scripts leverage the "standardized" way to manage credentials described on the AWS Blog, and build on top of it to facilitate integration with the Security Token Service (STS) and MFA-protected API access.
This tool works similarly to the aws configure CLI tool, but saves values in a different file under .aws/credentials.no-mfa, instead of the standard .aws/credentials. It also allows users to configure their MFA serial token number, such that they will no longer have to enter it every time they call the Security Token Service (STS).
./aws_configure
Similar to the AWS CLI, it supports profiles:
./aws_configure --profile isec
This tool reads credentials configured in the .aws/credentials.no-mfa file, prompts users for their MFA code, and retrieves STS credentials (AWS access key ID, AWS secret key, and session token).
./aws_init_session.py
The STS credentials are then saved under the "standardized" .aws/credentials file to be accessible to other tools such as the AWS CLI. After initializing their STS session, users of the AWS CLI may just work as if MFA-protected API access was not there:
aws iam list-users
Because credentials rotation is important, and because it is almost always overlooked by AWS users, iSEC created a tool that does it for you. When you run this tool, a new access key will be generate and stored in your .credentials.no-mfa file. An STS session using these new credentials will be initialized and your old access key will be deleted.
./aws_rotate_my_key.py