Pre-requisites
- GPG
- oathtool
Instructions
Using MFA is becoming more and more a must. However automation is often considered the enemy of MFA. MFA stands for Multi Factor Authentication. It says nothing on how and where to store it. There are of course best practices but it should be treated as just another secret you need to know and handle. In the example below, you need to paste the secret belonging to the MFA virtual device (read its just a secret for TOTP) and we will encrypt it with gpg.
gpg --armor -e > ~/.aws/<profile-name>.mfa.ascMac
function mfa {
if [[ "x$1" == "x" ]]; then
echo "usage: mfa <profile.name>"
exit 1
else
totpkey=$(gpg -d $AWS_HOME/$1.mfa.asc)
oathtool --totp --b $totpkey | pbcopy
fi
}
function aws_mfadevices {
reply=($(find $AWS_HOME -name \*.mfa.asc | xargs basename -s .mfa.asc))
}
compctl -K aws_mfadevices mfaLinux
Use the same code, but change pbcopy and put it in your bash functions instead. You can use it the same way by simply echoing $(authtool --totp -b $secret) to a cmdline using bash. You can also use xclip -selection c
Don't ever store secrets unencrypted! Use gpg or KMS to encrypt your secrets the very least.