Python + shell script to streamline official AWS process for using MFA with the AWS CLI

Matches to: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Note that you MUST source (or its synonym .) to change env vars in your current shell:

. aws-cli-mfa $AWS_MFA_ARN 123456
. aws-cli-mfa $AWS_MFA_ARN 123456 -p rogusdev -d 57600

Meaning, the period at the beginning of those lines above is a critical, vital part of using this application.

If using Fish, you will need to use a slight workaround due to how Fish's source command only resolves relative paths from the current directory:

. (which aws-cli-mfa) $AWS_MFA_ARN 123456

An easy way to test that everything is working is simply:

aws s3 ls

Note that aws cli commands will only work in the terminal you source-d this script in. If you want to use aws in other terminals, you will need to pass --profile mfa at the end ala aws s3 ls --profile mfa or you can export AWS_PROFILE=mfa in the appropriate profile/rc file to make that your default aws profile (for everything!).

You must have jq, python 3 (as python3), and the aws cli (as aws) available on your PATH in your shell.

You will pass, at a minimum, your AWS MFA ARN and the current MFA auth token from your 2fa/mfa authenticator app/device. This does not work with yubikeys/etc (per AWS docs). There are additional optional args to change the effects this script has on your system.

I recommend you have your AWS_MFA_ARN in your .bash_profile, .zshrc, or config.fish or as appropriate for your shell:

echo 'export AWS_MFA_ARN=arn:aws:iam::NUMBER:mfa/USERNAME' >> $HOME/.bash_profile

Or if using Fish:

echo 'set -x AWS_MFA_ARN arn:aws:iam::NUMBER:mfa/USERNAME' >> $HOME/.config/fish/config.fish

Replacing the number and username as appropriate. Your MFA ARN is on this page:
https://console.aws.amazon.com/iam/home?#/security_credentials

To see all the options, run the script with -h:

aws-cli-mfa -h

Use the correct shell for where you are going to use this:

AWS_CLI_MFA_SHELL=bash &&
wget https://raw.githubusercontent.com/rogusdev/aws-cli-mfa/main/bin/aws-cli-mfa-$AWS_CLI_MFA_SHELL -O aws-cli-mfa &&
  sudo mv aws-cli-mfa /usr/local/bin/ && sudo chmod +x /usr/local/bin/aws-cli-mfa

You might also need to install dependencies as well:

Installing jq and wget (in case you don't have wget to download this script as above):

brew install jq wget # osx
sudo apt-get install jq wget # debian/ubuntu
# etc

Installing aws: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

Installing python3 can be done in a variety of ways, however I recommend using asdf: https://github.com/danhper/asdf-python

Clone the repo and create all shells' final aws-cli-mfa-* scripts and then copy your preference like so:

./build.sh && sudo cp ./bin/aws-cli-mfa-SHELL /usr/local/bin/aws-cli-mfa

Where SHELL is one of the available shell options: bash, zsh, ksh, fish

(For the curious, the -e "s///" gets rid of the #INSERT_PYTHON_CODE_HERE.)

Tests for the core python functionality to call the aws cli with the right args and parse the results:

python3 -m unittest tests.aws_cli_mfa_tests

Tests for the shell scripts that wrap around the python script to set env vars when sourced:

./tests/tests.sh && ./tests/tests.fish