![]() It’ll normally start with “arn:aws:iam::” and end with “mfa/yourusername”. Make a note of the Amazon Resource Name (ARN) for your “Assigned MFA device” on your IAM user account. You’ll need the ykman tool for the next step anyway. You can use the “Scan QR code” option in the Yubico Authenticator desktop app, or you can install the ykman CLI tool for YubiKey, use the “Show secret key” option on AWS and then use the CLI command ykman oath add AWS to add the secret key. When you get to the stage where the secret key is displayed in a QR code, you need to get this onto the YubiKey. First you need to set up a Virtual MFA device on your IAM user account. There are a couple of ways to store the MFA secret key on your YubiKey. ![]() ![]() Step 1: Store the MFA secret key on your YubiKey This guide applies to Bash and Bash-compatible shells like zsh, on Mac OS and Linux. With the YubiKey’s support for RFC 6238 TOTP tokens (the same type of time-based one-time token that AWS uses) we can make this a much smoother process by adding some functions to our shell startup file. from an authenticator app on your phone) and type it in to the terminal each time you want to authenticate using MFA. Also, it requires you to look up a code (e.g. Typically this requires the person performing operations on AWS to provide a one-time code when they authenticate to AWS, as well as their more permanent password (for the web console) or their Access Key (for the CLI and SDKs).Īlthough the AWS CLI supports MFA authentication to temporarily assume roles, it doesn’t currently support using MFA authentication with IAM user credentials. If you’re working with Amazon Web Services, and want the highest level of security around usage of your AWS account, AWS recommends that you use IAM users instead of the account’s root user, set up Multi-Factor authentication (MFA) on the IAM users, and then require MFA for API operations. Tags: aws Making life easier with Yubikeys and the AWS CLI
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |