Skip to content

Instantly share code, notes, and snippets.

@viatcheslavmogilevsky

viatcheslavmogilevsky/aws-config-example

Last active March 20, 2025 14:20
Show Gist options
  • Save viatcheslavmogilevsky/2c293fa3e929abdbacb650a2435f5043 to your computer and use it in GitHub Desktop.
Save viatcheslavmogilevsky/2c293fa3e929abdbacb650a2435f5043 to your computer and use it in GitHub Desktop.
Download ZIP
aws-vault and aws-config
Raw
aws-config-example
[profile central]
region=us-east-1
output=json
mfa_serial=arn:aws:iam::123456789012:mfa/mydeviceid
mfa_process=op item get qwertyuiopasdfghjklzxcvbnm --otp
[profile production]
source_profile=central
role_arn=arn:aws:iam::123456789013:role/admin
role_session_name=j.doe
region=us-east-1
output=json
mfa_serial=arn:aws:iam::123456789012:mfa/mydeviceid
mfa_process=op item get qwertyuiopasdfghjklzxcvbnm --otp
[profile staging]
source_profile=central
role_arn=arn:aws:iam::123456789014:role/admin
role_session_name=j.doe
region=us-east-1
output=json
mfa_serial=arn:aws:iam::123456789012:mfa/mydeviceid
mfa_process=op item get qwertyuiopasdfghjklzxcvbnm --otp
Raw
aws-vault-how-to.md

aws-vault how-to

aws-vault list shows all profiles from aws config (~/.aws/config)

To add aws-creds directly to system's secure keystore (macOS Keychain):

aws-vault add central
# Enter Access Key Id: ABDCDEFDASDASF
# Enter Secret Key: %%%

To create MFA device (but not enable yet):

aws-vault exec central --no-session -- aws iam create-virtual-mfa-device \
  --virtual-mfa-device-name john-doe-1password \
  --outfile qr.png \
  --bootstrap-method QRCodePNG

To load create device's QR in 1Password - create Login entry with in Private vault, then "Scan QR" from qr.png for "one-time password"

Enable device (1password) in central AWS account:

# launch as soon as <next-code-from-1password> appears:
aws-vault exec central --no-session -- aws iam enable-mfa-device \
   --user-name john-doe \
   --serial-number=arn:aws:iam::123456789012:mfa/john-doe-1password \
   --authentication-code1 <code-from-1password> --authentication-code2 <next-code-from-1password>

Every profile in aws-cli config has mfa_serial and mfa_process parameters:

  • mfa_serial - arn of user's virtual device in central AWS account
  • mfa_proces - command to retrive otp code, for this example 1password cli is used

To get 1password entry ID (qwertyuiopasdfghjklzxcvbnm) by entry name (amazon)

op item list --vault Private | grep amazon
# qwertyuiopasdfghjklzxcvbnm

To require MFA while assuming IAM role https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789013:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment