botomfa makes it easy to use boto, the AWS SDK for Python, with AWS IAM user accounts that have multi-factor authentication (MFA) enabled.
The concept behind botomfa is that there are 2 types of credentials:
-
long-term- Your typcial AWS access keys, consisting of an ID and a SECRET -
temporary- A temporary set of credentials that are generated from a combination for your long-term credentials and your MFA token using the AWS Security Token Service.
botomfa utilizes your long-term IAM User Access Keys to obtain temporary AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SECURITY_TOKEN values from AWS Security Token Service and populates these values in the user's boto config.
Note: The credentials test is performed by making a basic connection to s3 a la get_all_buckets().
- Clone this repo
python setup.py install
boto profiles were introduced in v2.24.0. This has been tested on versions >=2.35.2.
botomfa requires that you have a boto user configuration file with the following sections:
[long-term]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
The section [long-term] houses your long-term IAM User Access Keys
that do not change. These are referecned when creating temporary credentials.
This script manages, validates, and updates temporary credentials which are stored in the [Credentials] section. This section may look familar to you as the defaut/fallback section that boto references when authenticating to AWS services. This is intentional so that you are not requred to update any of your existing boto scripts!
After running botomfa, you will notice that the [Credentials] section has been populated:
[long-term]
aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
[Credentials]
aws_access_key_id = <POPULATED_BY_SCRIPT>
aws_secret_access_key = <POPULATED_BY_SCRIPT>
aws_security_token = <POPULATED_BY_SCRIPT>
- Required: Environment variable
AWS_ACT_NUMor command argument--aws-act-num- Your AWS account number. - Enviroment variable
MFA_DEVICE_NAMEor command argument--mfa-device-name- The script assumes the identifying value of your MFA device is the same as your shell'sUSERvariable. This option overrides that value. - Environment varialbe
STS_DURATIONor command argument--duration- The default is 900 seconds, a dictated minimum by AWS.
Run botomfa before running any of your scripts that use the boto library and need valid AWS credentials.
$> botomfa
2015-08-27 13:45:57,334 - botomfa - DEBUG - Your AWS account number is: 123456789012
2015-08-27 13:45:57,334 - botomfa - DEBUG - Your MFA device name is: brian
2015-08-27 13:45:57,334 - botomfa - INFO - Temporary credentials are missing, obtaining them.
Enter AWS MFA code for user brian (renewing for 900 seconds):666666
2015-08-27 13:46:06,172 - botomfa - INFO - Validating temporary credentials..
2015-08-27 13:46:06,835 - botomfa - INFO - Temporary credentials validation successful! Token expires in 899 seconds at 2015-08-27T18:01:06Z
Running botomfa again shows that your credentials are valid. You are now free to use boto uninterupted for the duration of your temporary credentials.
$> botomfa
2015-08-27 13:48:03,294 - botomfa - DEBUG - Your AWS account number is: 123456789012
2015-08-27 13:48:03,295 - botomfa - DEBUG - Your MFA device name is: brian
2015-08-27 13:48:03,295 - botomfa - INFO - Validating temporary credentials..
2015-08-27 13:48:03,750 - botomfa - INFO - Temporary credentials validation successful! Token expires in 782 seconds at 2015-08-27T18:01:06Z