boto3 way to introspect AWS configuration to determine if `mfa_serial` is used in profile
See original GitHub issuecontext:
- we have several accounts
- one’s
$HOME/.aws/credentials
usually contains a few accounts IE:
- one’s
[default]
aws_access_key_id...
aws_secret_access_key...
[org1-admin]
aws_access_key_id...
aws_secret_access_key...
mfa_serial...
[org2-admin]
aws_access_key_id...
aws_secret_access_key...
[org3-admin]
aws_access_key_id...
aws_secret_access_key...
...
- one of these accounts (org1-admin as noted by the presence of
mfa_serial
) uses sub-accounts so there’s a config- The contents of the
$HOME/.aws/config
defines profiles under one of the aforementioned specified accounts:
- The contents of the
[profile gen3-prod]
role_arn = ...
source_profile = org3-admin
[profile gen3-preprod]
role_arn = ...
source_profile = org3-admin
[profile gen3-dev]
role_arn = ...
source_profile = org3-admin
So the problem:
We have an inventory CLI tool which needs to do resource querying. The problem is that MFA was recently set to forced for only one of the main accounts org1-admin
. The CLI tool needs to be able to ask the CLI admin for their MFA token if the CLI tool is querying against org1-admin
resources and then assume an sts role just for that account. That’s fine. The problem is that there is no reason for the script to attempt to query for MFA until it’s necessary (when it needs to seek resources from org1-admin).
Since boto doesn’t seem to be intelligent enough to notice when an account requires MFA for authorization, I need to code this in. My main problem is that I’m not really sure how to introspect the boto3 object to see if mfa_serial
exists.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top GitHub Comments
This works the way I need it to. Thank you!!
Let me give this a try tonight and I’ll comment on my success. Thank you!