-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws-mfa-auth.ps1
85 lines (73 loc) · 3.11 KB
/
aws-mfa-auth.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# This script is used to authenticate to AWS using MFA (Multi-Factor Authentication), excluding U2F devices.
# Function to prompt for input
function Prompt-Input {
param (
[string]$prompt,
[string]$defaultValue
)
$input = Read-Host -Prompt "$prompt"
if ([string]::IsNullOrWhiteSpace($input)) {
return $defaultValue
}
return $input
}
# Check for AWS CLI and jq
if (!(Get-Command aws -ErrorAction SilentlyContinue)) {
Write-Host "AWS CLI is required. Aborting."
exit 1
}
if (!(Get-Command jq -ErrorAction SilentlyContinue)) {
Write-Host "jq is required. Aborting."
exit 1
}
# Prompt for AWS profile name
$aws_profile = Prompt-Input -prompt "Enter your AWS profile name (Default: default)" -defaultValue "default"
# Fetch MFA devices
Write-Host "Fetching MFA devices..."
$mfa_devices = aws iam list-mfa-devices --profile $aws_profile --output json | ConvertFrom-Json
# Filter out U2F devices
$mfa_devices = $mfa_devices.MFADevices | Where-Object { $_.SerialNumber -match "^arn:aws:iam::\d+:mfa/" }
$mfa_count = $mfa_devices.Count
if ($mfa_count -eq 0) {
Write-Host "No compatible MFA devices found. Please set up a non-U2F MFA device for your IAM user."
exit 1
}
elseif ($mfa_count -eq 1) {
$mfa_arn = $mfa_devices[0].SerialNumber
Write-Host "Using MFA device: $mfa_arn"
}
else {
Write-Host "Select an MFA device:"
for ($i = 0; $i -lt $mfa_count; $i++) {
Write-Host "$($i + 1)) $($mfa_devices[$i].SerialNumber)"
}
$device_number = [int](Prompt-Input -prompt "Enter the number of your MFA device" -defaultValue "1")
$mfa_arn = $mfa_devices[$device_number - 1].SerialNumber
Write-Host "Using MFA device: $mfa_arn"
}
# Input MFA code
$token_code = Prompt-Input -prompt "Enter your MFA code" -defaultValue ""
# Get temporary credentials
Write-Host "Fetching temporary credentials..."
$creds = aws sts get-session-token --serial-number $mfa_arn --token-code $token_code --profile $aws_profile --output json | ConvertFrom-Json
# Create a new profile name
$new_profile = "$aws_profile-mfa"
$new_profile = Prompt-Input -prompt "Enter a name for the new profile (Default: $new_profile)" -defaultValue $new_profile
# Set up the new profile
aws configure set aws_access_key_id $creds.Credentials.AccessKeyId --profile $new_profile
aws configure set aws_secret_access_key $creds.Credentials.SecretAccessKey --profile $new_profile
aws configure set aws_session_token $creds.Credentials.SessionToken --profile $new_profile
# Get expiration time
$expiration_local = [DateTime]::Parse($creds.Credentials.Expiration).ToLocalTime().ToString("yyyy-MM-dd HH:mm:ss K")
# Final message
Write-Host ""
Write-Host "Success! Temporary credentials have been set up."
Write-Host "---------------------------------------------"
Write-Host "Profile name: $new_profile"
Write-Host "Expiration : $expiration_local"
Write-Host ""
Write-Host "To use these credentials:"
Write-Host "1. For specific commands: aws s3 ls --profile $new_profile"
Write-Host "2. For this session: `$env:AWS_PROFILE = '$new_profile'"
Write-Host ""
Write-Host "Remember to renew your credentials before they expire."