Use MFA on the CLI and execute awscli commands securely

Enhance security and don’t let anyone run CLI commands as someone else.

To enhance security, you can enable multi-factor authentication (MFA) also for issuing CLI commands.

You can configure your MFA device by going to the IAM console, searching a user and follow these arrows:

Configure your virtual MFA device

IAM policy example

For example, you configure a Trust Policy as copied below. Notice the `Condition` to have `MultiFactorAuthPresent`. This way, in order for a user to assume a role in the CLI, the user must have an MFA token.

This condition can be applied to any `Action` of any IAM policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::nnnnnnnnnnnn:user/user.name"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

Manually using the CLI to obtain the temporary session tokens and setting them up as environment variables can be a hassle. I came up with this quick script to automate the job.

In the following script, you only have to replace `YOUR_MFA_ARN` with the ARN of the MFA device you have configured in your security settings in your AWS IAM user.

Then you can either source or execute the script.