3

I enabled MFA for a AWS user and it works, when the user sign in to AWS Console. However, this user can also access all services via CLI (by access key and secret key), does that mean the CLI will always bypass the MFA, even it is enabled for this user?

starchx
  • 533
  • 10
  • 24

2 Answers2

4

You can enable MFA on API access but any services using those credentials including the CLI has to use temporary security credentials (ie. you make an AssumeRole call providing your access key, secret and MFA token and it returns temporary access keys which are valid for as long as the MFA auth is valid).

Having said that, generally it's considered best practice to separate your "Sign-In" accounts (ie. those you log into via the AWS console) from your "Access Credential" accounts (ie. where the API keys are used within other software).

Your "Sign-In" accounts should have MFA enabled but no Access Credentials. You use this account to create other "Access Credential" users which have limited access to only the services/functions you specifically need to access.

thexacre
  • 1,849
  • 13
  • 14
4

Adding a new answer as this situation has changed somewhat. The CLI can manage a lot of this for you if you're using roles. Described here: http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

In my credentials file I have:

[my_iam_user]
aws_access_key_id = AKIABLAHBLAHBLAHBLAH
aws_secret_access_key = <blah>
region = us-east-1

[my_admin_role]
role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = my_iam_user
mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user
region = us-east-1

Note the mfa_serial entry. You can get this value from your user details in the AWS IAM console. This entry tells the CLI that MFA is required for that role.

When I call aws s3 ls --profile my_admin_role it says Enter MFA code:, after I paste in the code it returns the listing.

Note: I haven't found a way to get the CLI to ask for MFA when calling a user profile (--profile my_iam_user) only calling a role profile triggers the MFA request.

The MFA token is then carried forward and the user profile can be used as well:

aws sts get-caller-identity --profile my_iam_user
 # {
 # "Account": "123456789123",
 # "UserId": "AIDABLAHBLAHBLAHBLAH",
 # "Arn": "arn:aws:iam::123456789123:user/my_iam_user"
 # }

aws sts get-caller-identity --profile my_admin_role
 # {
 # "Account": "123456789123",
 # "UserId": "AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890",
 # "Arn": "arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890"
 # }
Joe Harris
  • 141
  • 3