some_baseprofile: refers to the label name of a profile in ~/.aws/credentials or in ~/.aws/config.The utility scripts and their documentation can be found at the following URL: Īws -profile "some_baseprofile" sts get-session-token -serial-number "mfa_arn_associated_with_the_baseprofile" -duration "3600" -token-code "current_code_from_generator" -output "json"
I have created a set of scripts to manage the MFA sessions on the command line as my employer is moving to MFA enforcement also on the command line (with the enforcement enabled any tool that utilizes the access keys won't work unless it allows also the entry of the session token). This is supported, for example, by Cloudberry Explorer. These credentials are only valid for the validity period of the session. When an MFA session is initialized, AWS provides a new access key ID and a new secret access key (they are separate from the credentials of the profile the MFA session was started for) in addition to the session token. This is separate from the deletion token that can be set on S3 buckets, and when configured and enforced, it doesn't allow any access with given access key ID / secret access key unless a user is in MFA session (and so that the session token is also provided). When MFA is required/enforced in order to use for a given profile, it cannot be used with Cyberduck currently because Cyberduck doesn't allow the entry of the session token along with the standard AWS credentials.
0 kommentar(er)
