Every time that i want to get a new aws session, i must open my authy device to get a token-code, so i can use it in my script and generate AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
I'm wondering, if it exists a way to automate the token-code generation.
That's will help me a lot to automate my process.
Thank you for your help.
That depends on your token generator.
Nothing is stopping you from generating a token with a specific libray, e.g. [1].
However, this is not secure, since you are storing your secret on your machine.
Thus, you have to decide how you can minimize the attack vector when using automated MFA generation.
What I am doing: I use a yubikey [2] and plug it into my usb port whenever I have to perform a code generation. Yubico provides the ykman [3], a special binary, which you can download and execute in your shell script. Very easy to implement in conjunction with the AWS cli.
Overview of the process:
shell script --> call ykman oath code <secret-id> --> yubico generates code and passes it back via USB --> pass the code to AWS CLI commands in you shell script
Note: There is a special option ykman oath add --touch <secret-id> which requires a touch on the YubiKey to generate codes. This further reduces attack vectors, because a simple human action is needed to start code generation.
[1] https://www.npmjs.com/package/otplib
[2] https://www.yubico.com/products/yubikey-hardware/
[3] https://support.yubico.com/support/solutions/articles/15000012643-yubikey-manager-cli-ykman-user-manual#ykman_oath_code8cqziu
