AWS: draft notes on getting local CLI access with a temporary session token

[consideRatio]

It is not obvious to me how to get credentials to work against an AWS account that enforces use of MFA on the CLI level, but below is the procedure I've followed outlined.

Action point

• [ ] Collectively refine or confirm how to go about this
• [ ] Document this

How I've went about it so far

I've tried the following, but only for nasa-veda's AWS account.

1. Setup CLI access like if MFA wasn't enforced via these 2i2c docs on aws account access It could be that if we can use AWS SSO via https://2i2c.awsapps.com/start#/, that we get valid MFA tokens directly. I'm not sure.
2. Look up the AWS IAM users associated MFA device's serial number Visit the AWS cloud console, go to IAM -> Users -> username -> Security credentials tab -> Multi-factor authentication (MFA) -> Read the identifier, should be for example arn:aws:iam::111222333444:mfa/my-pixel3a-mobile
3. Use aws sts get-session-token like this:

   MFA_DEVICE_SERIAL_NUMBER=arn:aws:iam::111222333444:mfa/my-pixel3a-mobile
   aws sts get-session-token --serial-number=$MFA_DEVICE_SERIAL_NUMBER --token-code=<just-in-time-generated-code-from-mfa-device>

[yuvipanda]

Here's the script I just made for this, specific to nasa-veda and my MFA:

#!/bin/zsh
MFA_TOKEN=${1}

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY

export AWS_PROFILE=nasa-veda
export MFA_DEVICE_ID=arn:aws:iam::444055461661:mfa/phone 

SESSION_CREDS=$(aws sts get-session-token --serial-number ${MFA_DEVICE_ID} --token-code ${MFA_TOKEN})

export AWS_ACCESS_KEY_ID=$(echo ${SESSION_CREDS} | jq -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo ${SESSION_CREDS} | jq -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo ${SESSION_CREDS} | jq -r .Credentials.SessionToken)

I can then call this as source nasa-veda-mfa.bash <mfa-code>