Using settings from .aws/config
Now also supports "mfadevice" that is specified in profile (even with "sourceprofile").
When "role_arn" is specified, it will assume the role after successful mfa login, and set the credentials for that assumed role
Install Oh-My-Zsh AWS MFA Plugin
git clone --depth=1 https://github.com/joepjoosten/aws-cli-mfa-oh-my-zsh.git "$ZSH/custom/plugins/aws-mfa"
- enable it in plugins=(… aws-mfa) in your zshrc file
- source ~/.zshrc
Using Oh-My-Zsh AWS MFA Plugin
This plugin adds a new zsh alias,
aws-mfa, this plugin has five ways you can use it:
aws-mfawith no arguments. This will cause it to prompt you interactively for a TOTP code for your current active AWS_PROFILE.
aws-mfa 123456where 123456 is your 6-digit mfa code from your virtual MFA device (such as Google Authenticator, FreeOTP, etc)
aws-mfa my-aws-profilewhere my-aws-profile is the name of the AWS_PROFILE you want to mfa authenticate to. It will prompt for TOTP as in case #1.
aws-mfa my-aws-profile 123456where my-aws-profile is the name of the AWS_PROFILE you want to mfa authenticate to and 123456 is your TOTP code.
aws-mfa my-aws-profile 123456 temp-profilewhere my-aws-profile is the name of the AWSPROFILE to mfa authenticate to, 123456 is your TOTP code, and temp-profile is the name of the AWSPROFILE to write the temporary credentials to
Note: Options 3, 4, and 5 only make sense if you don't have an AWSPROFILE already defined. The objective being to go from having no AWSPROFILE defined to having mfa-authenticated STS temporary credentials in one command.
Furthermore, if you are using the zsh plugin for aws and have set your profile using it's
asp function, this will interfere with both options 3 and 4, because it will inject it's AWS_PROFILE information into all subshells, causing all requests to utilize the profile defined with
asp rather than the argument you provide here. You can correct for this by running
asp with no arguments to unset the profile, and these setting will once again work as outlined above.