I use the aws cli, and protect it using a YubiKey.
-
Install the aws cli (
pip install awscli) -
Install ykman (
brew install ykman) -
Create a user with programmatic access using the AWS management console. I called my user
pokey-macbook. -
Configure the user to have a policy like the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*", "Condition": { "NumericLessThan": { "aws:MultiFactorAuthAge": "21600" } } }, { "Effect": "Allow", "Action": [ "iam:GetUser", "iam:ListMFADevices" ], "Resource": "*" } ] }
This gives the user full account privileges when the MFA has been activated which lasts 6 hours, and otherwise just the ability to get info about itself and to list mfa devices. This policy was based on the one described in the phrase/aws-mfa repo. You may prefer to have a more conservative policy that only allows access to specific resources.
-
Start setting up the user with a virtual MFA device. When it shows you the barcode, click on "Show secret key for manual configuration" and copy the long string.
-
Run
ykman oath add -t aws-<PROFILE>, and paste the string when prompted. This sets up your YubiKey to behave like a virtual MFA device. -
Run
ykman oath code -s aws-<PROFILE>a couple times, waiting as necessary, to get codes to enter in to the AWS management console. -
Run
aws configure --profile <PROFILE>and paste in the values from the console.
When you need to use the aws cli or the aws api eg via boto3 in a particular
shell, use awm <PROFILE>. It supports tab completion using fzf. This wraps
the awsmfa script to set environment variables that activate
the profile in that specific shell for the next 6 hours. Note that any command
you type in this shell will have access to these environment variables, so only
run commands you trust.