Reputation: 715
Switch aws cli to cross account with mfa enabled
Is there a way to access cross account from aws credential which has mfa enabled?
I am able to switch account from aws management console, I want to do the same from cli.
Tried updating .aws/config file as per the link below.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html
Getting an error: The config profile (CrossAccountSignin) could not be found. Please advice.
Upvotes: 0
Views: 1201
Answers (1)
Reputation: 6428
There are two parts to this - the ~/.aws/credentials file and the ~/.aws/config file.
Lets say you have an IAM user my-user-id in account 987654321098 and want to assume a role called my-assumed-role in account 0123456789012
The ~/.aws/credentials file contains a profile with the IAM Command Line User credentials - access key id and secret access key - from my-user-id. For example:
[default]
aws_access_key_id=AKIAABCDEFGHIJKLMNOPQR
aws_secret_access_key=SeCrEtKeY
region=ap-southeast-2
output=json
The ~/.aws/config file contains a profile with the ARN of the cross account role and the IAM User's MFA serial number, along with any other session options. For example:
[profile cross-account-role]
role_arn = arn:aws:iam::123456789012:role/my-assumed-role
source_profile = default
mfa_serial = arn:aws:iam::987654321098:mfa/my-user-id
region=ap-southeast-2
s3 =
signature_version = s3v4
role_session_name = my-session
To assume the cross account role with the CLI we append the profile of the role from ~/.aws/config e.g. --profile cross-account-role to the command.
As the source_profile is default, it will use the credentials of the IAM user my-user-id with MFA from account 987654321098 to assume the my-assumed-role role in the target account 0123456789012
For example
myuser@myost:~$ aws sts get-caller-identity --profile cross-account-role
Enter MFA code for arn:aws:iam::987654321098:mfa/my-user-id:
{
"UserId": "AROAABCDEFGHIJKLMNOPQR:my-user-id",
"Account": "0123456789012",
"Arn": "arn:aws:sts::0123456789012:assumed-role/my-assumed-role/my-session"
}
The CLI will prompt you to enter your MFA code and then provide the output. The session will last by default for 60 minutes and it is cached. During this time the any further CLI commands will not need to prompt again for a MFA code.
Upvotes: 0
Related Questions
- How to use MFA with AWS CLI?
- Way to run aws cli across multiple accounts
- AWS Policy for MFA Required for console but not CLI
- AWS cli switching between accounts
- How can i switch AWS credentials easily in the terminal?
- How to use AWS CLI for multiple accounts
- How to use AWS cli to get access keys in an MFA context?
- How do I prompt for an MFA key to generate and use credentials for AWS CLI access?
- login issue with aws command line interface with MFA code/token
- Prompt for MFA code on certain AWS Cli actions