This is the bash script I use with yubikey-manager CLI (ykman) to create a session for the AWS CLI using a YubiKey as a MFA device. This configuration is specifically for using short-term credentials.
Using the script avoids having to copy/paste the code obtained from the YubiKey to the get-session-token command.
Requirements:
- The jq utility
- A YubiKey MFA device configured for a AWS IAM user and it's serial number ARN
- AWS CLI configured for short-term credentials per Setting up the AWS CLI. For example:
~/.aws/config
[profile my-session]
[profile my-profile]
source_profile = my-session
The script will first use ykman which pauses and waits for the button on the YubiKey to be pressed. This produces a code that is passed to get-session-token.
#!/bin/env bash
# MFA_SERIAL_ARN="arn:aws:iam::[ACCOUNT_ID]:mfa/[IAM_USER]"
MFA_SERIAL_ARN="arn:aws:iam::111111111111:mfa/jane.doe"
USER_PROFILE="my-profile"
SESSION_PROFILE="my-session"
echo "Fetching code from Yubikey device"
mfa_code=$(ykman oath accounts code --single $MFA_SERIAL_ARN)
echo "Creating session (code=$mfa_code)"
sts=$(aws sts get-session-token \
--duration 14400 \
--serial-number $MFA_SERIAL_ARN \
--token-code $mfa_code \
--profile $USER_PROFILE)
access_key_id=`echo $sts | jq -r '.Credentials.AccessKeyId'`
secret_access_key=`echo $sts | jq -r '.Credentials.SecretAccessKey'`
session_token=`echo $sts | jq -r '.Credentials.SessionToken'`
expiration=`echo $sts | jq -r '.Credentials.Expiration'`
echo "Session expires on: $expiration"
aws configure set aws_access_key_id $access_key_id \
--profile $SESSION_PROFILE
aws configure set aws_secret_access_key $secret_access_key \
--profile $SESSION_PROFILE
aws configure set aws_session_token $session_token \
--profile $SESSION_PROFILE
The output of the script would look something like this:
Fetching code from YubiKey device
Touch your YubiKey...
Creating session (code=123456)
Session expires on: 2025-02-23T22:12:29+00:00
Top comments (0)