MacHu-GWU
commented
2 years ago @rkoval Yes, I recommend to implement in go this way:
- use some keyword like
aws mfa-auth ${profile_name} ${six_digits_token},${profile_name}is the source named profile for mfa auth. If the account force mfa, then you can never use this profile directly. - run some aws api call to get three values for future use. As an example, here's a shell script aws cli version I created long ago: https://github.com/MacHu-GWU/Dev-Exp-Share/blob/master/docs/source/01-AWS/00-AWS-Account-Management/05-Use-MFA-Protection/awscli-mfa-auth.sh
- find the region of the source region.
- persist 3 secret values and the region some where in
${HOME}directory, for instance${HOME}/.alfred-aws-console-services-workflow/secrets.jsonis a good place. DON't USE THE ALFRED WORKFLOW DIRECTORY which is the/path-to/user.workflow.70776F59-2678-4404-B83C-1111222233334444. Because if the user export it, there's a risk that user expose his credential to public. - In your workflow code logic, you can do this:
- try to load secrets from
${HOME}/..../secrets.jsonfile. If success, then set environment variable accordingly. Now the new mfa authenticated profile will automatically work. - if failed, then do the normal logic
- try to load secrets from
details: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
seems like this needs to expose something that can detect when an account requires MFA and then set
AWS_SESSION_TOKEN?