Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding QRCODE secret as parameter #85

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 36 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,11 @@ Usage
--role-session-name ROLE_SESSION_NAME
Friendly session name required when using --assume-
role. By default, this is your local username.
--qrcode QRCODE If using QRCODE secret as an argument, calculates
totp internally. This value can also be provided
via the environment variable 'MFA_QRCODE' or the
~/.aws/credentials variable 'aws_mfa_qrcode'.

```

**Argument precedence**: Command line arguments take precedence over environment variables.
Expand Down Expand Up @@ -208,6 +213,17 @@ Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00
```

```sh
export MFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
export MFA_QRCODE=1234567890123456789012345678901234567890123456789012345678901234
export MFA_STS_DURATION=1800
$> aws-mfa
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00
```

Output of running **aws-mfa** while credentials are still valid:

```sh
Expand Down Expand Up @@ -286,4 +302,23 @@ INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:1
$> aws s3 list-objects —bucket my-production-bucket —profile myorganization-production

$> aws s3 list-objects —bucket my-staging-bucket —profile myorganization-staging
```
```
Using qrcode secret as an argument, so calculates qrcode internally

```sh
$> aws-mfa --device arn:aws:iam::123456788990:mfa/dudeman --profile development --qrcode 1234456789012344567890123445678901234456789012344567890123445678
INFO - Using profile: development
INFO - Success! Your credentials will expire in 3600 seconds at: 2023-05-04 23:09:04+00:00
```

Using qrcode secret as saved parameter in credentials file

```sh
export MFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
export MFA_QRCODE=1234567890123456789012345678901234567890123456789012345678901234
export MFA_STS_DURATION=1800
$> aws-mfa --profile development
INFO - Using profile: development
INFO - Success! Your credentials will expire in 3600 seconds at: 2023-05-04 23:09:04+00:00
```

40 changes: 33 additions & 7 deletions awsmfa/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
import os
import sys
import boto3
# python totp library
import pyotp


from botocore.exceptions import ClientError, ParamValidationError
from awsmfa.config import initial_setup
Expand Down Expand Up @@ -83,6 +86,14 @@ def main():
type=str,
help="Provide MFA token as an argument",
required=False)
# qr code as optional argument
parser.add_argument('--qrcode',
type=str,
help="QR Code secret - obtained when assigning MFA."
"This value can also be provided via the"
" environment variable 'MFA_QRCODE' or the"
" ~/.aws/credentials variable 'aws_mfa_qrcode'.",
required=False)
args = parser.parse_args()

level = getattr(logging, args.log_level)
Expand Down Expand Up @@ -178,6 +189,13 @@ def validate(args, config):
'You must provide --device or MFA_DEVICE or set '
'"aws_mfa_device" in ".aws/credentials"')

# get qrcode secret from param, env var or config
if not args.qrcode:
if os.environ.get('MFA_QRCODE'):
args.qrcode = os.environ.get('MFA_QRCODE')
elif config.has_option(long_term_name, 'aws_mfa_qrcode'):
args.qrcode = config.get(long_term_name, 'aws_mfa_qrcode')

# get assume_role from param or env var
if not args.assume_role:
if os.environ.get('MFA_ASSUME_ROLE'):
Expand Down Expand Up @@ -277,14 +295,22 @@ def validate(args, config):


def get_credentials(short_term_name, lt_key_id, lt_access_key, args, config):
if args.token:
logger.debug("Received token as argument")
mfa_token = '%s' % (args.token)

# qr code as argument
if args.qrcode:
logger.debug("Received qrcode as argument")
mfa_secretqr = '%s' % (args.qrcode)
mfa_token_code = pyotp.TOTP(mfa_secretqr)
mfa_token = str(mfa_token_code.now())
else:
console_input = prompter()
mfa_token = console_input('Enter AWS MFA code for device [%s] '
'(renewing for %s seconds):' %
(args.device, args.duration))
if args.token:
logger.debug("Received token as argument")
mfa_token = '%s' % (args.token)
else:
console_input = prompter()
mfa_token = console_input('Enter AWS MFA code for device [%s] '
'(renewing for %s seconds):' %
(args.device, args.duration))

client = boto3.client(
'sts',
Expand Down
5 changes: 4 additions & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,8 @@
],
},
url='https://github.com/broamski/aws-mfa',
install_requires=['boto3']
install_requires=[
'boto3',
'pyotp'
]
)