AWS CLI Configuration With MFA In A Linux Machine

Kannan Ramaswamy
Technology Specialist
June 12, 2018
Rate this article
[Total: 6    Average: 3.3/5]
Views    303

Configuring AWS CLI settings in Linux machine is always a challenge. This step by step article explains you how to configure AWS CLI with MFA in Linux. Python is a prerequisite for AWS CLI. Let’s start with installing python.

AWS CLI Configuration Steps

1. Install Python 2.6.5 or higher
Command to install Python: – $ yum install python –y
Check Python version: – $ python --version

2. Install Pip
Download installtion scripts from pypa.io by executing the command curl -O https://bootstrap.pypa.io/get-pip.py
This installs the latest version of pip with required packages.
Check Pip version: – $ pip -- version

3. Install AWS CLI using pip
Command to install AWS CLI: – $ pip install awscli
Check AWS CLI version: – $ aws –version

4. Establish connection between workstation and AWS
Step 1: Command: – $ aws configure
Step 2: Provide the following inputs namely, Access key, Secret key, Region and the format of the output.

For non MFA users the above mentioned steps would establish a connection between the workstation and AWS. To check if the connection has been established, the non MFA user can use the following command.
aws s3 ls
However, an MFA user must follow the below mentioned steps in addition to the above stated steps, in order to establish a connection between the workstation and AWS. Enter the following command  $ aws sts get-session-token --serial-number arn:aws:iam::999999999999:mfa/kannan.ramasamy  --token-code 99999 to get the temporary credentials.

Once the above command  has been executed, the user will receive an output with temporary credentials and an expiration time for the same ( by default, 12 hours ), in a format similar to the one mentioned below.

{
    "Credentials": {
        "SecretAccessKey": "Qz...",
        "SessionToken": "FQo....OUba/s4/xx/xxx+xxx",
        "Expiration": "2018-05-30T19:49:07Z",
        "AccessKeyId": "XXXX"
    }
}

5. If the user wishes to have the temporary credentials only till he/she closes the window, the user must execute the below commands

export AWS_ACCESS_KEY_ID="AccessKeyID"
export AWS_SECRET_ACCESS_KEY="SecretKey"
export AWS_SESSION_TOKEN="SessionToken"

6. If the user wants to use the temporary credentials for 12 hours he/she must follow certain additional steps
vi ~/.aws/credentials

vi ~/.aws/config

Once all the steps have been followed the MFA user would have established a connection between his/her workstation and AWS.

Execute the following command to verify the configuration –  aws s3 ls --profile mfa-role

Reference

http://docs.aws.amazon.com/cli/latest/userguide/awscli-install-linux.html

Subscribe To Our Newsletter

Leave a comment