Loading...
 

AWS Security

AWS CLI

  • Cross Access with MFA: Just a quick blurb to refresh my memory on how to gain cross account access with AWS CLI and MFA
    1. Generate temporary Cross Access credentials. Make sure that you specify the token code from your MFA device. The 'aws sts' command below will return an 'AccessKeyId', 'SecretAccessKey', and 'SessionToken' that represent the cross account access credentials that are valid for 12 hours by default.
      aws sts get-session-token --serial-number arn:aws:iam::892293423029:mfa/some.user --token-code 123456
      
      
      {
          "Credentials": {
              "AccessKeyId": "LKJADOWEIOJA2309092E9"
              "SecretAccessKey": "mIJOoiLKJSDL9302JA00239209UAJDLlklKJLJIO", 
              "SessionToken": "FQoDYXdzEEoaDJd2ulN4CfpqypOHJCKwAfyLDK8h65stXEenyCHMqDmFQTyQxifeK96O0TBadZNXJsmqZSWFhjTCS3kEXIOYKPsqhe9Jb8Bcy6wRc0646jZzYXgqq0fhmUtW+DiyIlY8kwRUcCefybNXd9/YWoY+a+6PYcI303kxq5lqieAwWmI9csc2kfb0UDjfAdx8f9ZarGHnjw+76QEYkPhGqU5zg1PDTxbiqQu5x4Zm6+8J2ahTxR3VaBtNREOC4L053SoOKNbp58QF", 
              "Expiration": "2017-02-08T04:24:54Z",  
          }
      }
    2. Create/modify your credentials file based on the temporary credentials above. Set the profile name to 'crossaccountaccess'
      [crossaccountaccess]
      aws_access_key_id=JALDSIOWE23009ADJJOA
      aws_secret_access_key=ljadksj09JIljLlJKALjlL2L109JLQWEJLL
      aws_session_token=FQoDYXdzEE4aDLjSHby3zV9No520byKwATc1CuKnhXCaG1B9Alw/qbOsU45aa5H829Q+uaTlsxHN7xxbBmhlYW6xetWPEX8DKI+Lhl7+5sozH9XvBZ32+VFi62gS7Z6Y027SyHRVvF1Iy9MyRKt3nE+aOWKLPlbvNmUYS30IYvq39LRRdrVpoYUYK1BV/oG8hIpY3bnB5EMQ/e2JcmSmJ7gP
      region=us-west-2
    3. Create your profile config '~/.aws/config'. Specifying the 'role_arn' of the role in the destination account that you want to assume. In the example below '3898940190923' is the destination account ID and 'CrossAccountAccessRole' is the role to assume. 'source_profile' corresponds to your profile credentials in '~/.aws/credentials'
      [profile <destination_account_name>]
      role_arn = arn:aws:iam::3898940190923:role/CrossAccountAccessRole
      source_profile = crossaccountaccess
    4. Issue any 'AWS CLI' command and include the '--profile' parameter specifying the <destination_account_name> that is defined in the '~/.aws/config' file


Show php error messages