QiQe Garbi
Aug 22, 2017 · 1 min read

I dont have my keys encrypted, but in our projects a normal user cant do anything without assume a “terraform” IAM role and to assume a role he MUST have MFA enabled.

Sadly, terraform doesnt support .aws/config file yet, but we use this trick to assume a role:

#!/usr/bin/env bashmain() {
if [ -z "$AWS_PROFILE" ]; then
echo "Set the AWS_PROFILE environment variable" 1>&2
return 1
fi
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
for i in source_profile role_arn mfa_serial; do
local $i=$(cat ~/.aws/config | grep -A 3 profile\ ${AWS_PROFILE}]$ | grep -v profile\ ${AWS_PROFILE}] | grep $i | awk -F" = " '{print local $2}')
done
local token_code
echo -n "Enter MFA Code: "
read -s token_code
temporary_credentials="$(aws --profile ${source_profile}\
sts assume-role \
--role-arn="${role_arn}" \
--serial-number="${mfa_serial}" \
--token-code="${token_code}" \
--role-session-name="terraform-access"
)"
export "AWS_ACCESS_KEY_ID=$(echo "${temporary_credentials}" | jq -re '.Credentials.AccessKeyId')"
export "AWS_SECRET_ACCESS_KEY=$(echo "${temporary_credentials}" | jq -re '.Credentials.SecretAccessKey')"
export "AWS_SESSION_TOKEN=$(echo "${temporary_credentials}" | jq -re '.Credentials.SessionToken')"
}
main

)
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade