aws-mfa-rotate
Simple CLI tool to rotate AWS CLI/SDK temporary credentials.
Installation
Pre-requisites:
- npm installed.
- node version 14.
- AWS CLI installed with configuration files setup see
Install command:
npm i -g @kkeian/aws-mfa-rotate
Example usage:
Rotate MFA credentials for genericprofilename. Expire credentials after 1 hour.
aws-mfa rotate -p genericprofilename -t 138239 -d 1
Rotate MFA credentials for genericprofilename. Expire credentials after default 12 hours.
aws-mfa rotate -p genericprofilename -t 138239
Expected .aws files format:
- .aws/config file:
Should have at least 2 entries for the account used for MFA:
[profile accountName]
aws_access_key_id = [keyId]
aws_secret_access_key = [secretKey]
region = [regionHere]
[profile accountNamemfa]
aws_access_key_id = [randomDummyValue]
aws_secret_access_key = [randomDummyValue]
aws_session_token = [randomDummyValue]
mfa_serial = [MfaArn]
region = [regionHere]
- .aws/credentials file
Should have at least 1 entry:
[accountNamemfa]
aws_access_key_id = [randomDummyValue]
aws_secret_access_key = [randomDummyValue]
aws_session_token = [randomDummyValue]
How it works:
- AWS access key pair is used to authenticate with AWS STS service.
- Once authenticated, the GenerateSessionToken command is sent to STS.
- A temporary
access key id
,secret access key
, andsession token
are returned. - The temporary credentials are written to
.aws/credentials
file.- The named profile configuration in this file always takes precendence over
any named profile configuration in
.aws/config
, but we have a duplicate dummy entry in.aws/config
to hold themfa_serial
used to request a new temporary credential.
- The named profile configuration in this file always takes precendence over
any named profile configuration in
- You're able to use the AWS CLI/SDK to connect to the AWS Account you generated
temporary credentials for, along with any AWS Accounts configured with a role
that can be assumed by the user you generated temporary credentials for.
- Note: if you intend to authenticate to other AWS Accounts via role assumption,
you will need to configure that in the
.aws/config
file. This is done by specifying thesource_profile
key under the named profile of the AWS Account with the role to assume. Thesource_profile
key needs to refer to the section name for the named profile temporary credentials were written to in the.aws/credentials
file.
- Note: if you intend to authenticate to other AWS Accounts via role assumption,
you will need to configure that in the
Contributing
General project structure:
- src: holds main logic of program.
- bin: holds command line interface configuration.
Feel free to submit PR with improvements. This is a hobby project only managed by me so don't expect a quick turnaround.