Metadata-Version: 2.4
Name: aws-auth-utils
Version: 1.1.0
Summary: Easy AWS MFA authentication and role assuming
Project-URL: Homepage, https://github.com/mvanderlee/aws_auth
Author-email: Michiel Vanderlee <jmt.vanderlee@gmail.com>
License-Expression: MIT
License-File: LICENSE
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Software Development
Classifier: Topic :: Software Development :: Libraries
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Typing :: Typed
Requires-Python: >=3.11
Requires-Dist: boto3
Requires-Dist: click
Requires-Dist: coloredlogs
Requires-Dist: environs
Provides-Extra: publish
Requires-Dist: hatch>=1.7.0; extra == 'publish'
Provides-Extra: test
Description-Content-Type: text/markdown

# AWS Auth

[![Version](https://img.shields.io/pypi/v/aws-auth-utils.svg)](https://pypi.org/project/aws-auth-utils/)
[![License](https://img.shields.io/pypi/l/aws-auth-utils.svg)](#)
[![Supported Python Versions](https://img.shields.io/pypi/pyversions/aws-auth-utils.svg)](https://pypi.org/project/aws-auth-utils/)

```shell
pip install aws-auth-utils

aws configure --profile mfa-source

aws_auth mfa
```

The commands use [click](https://click.palletsprojects.com/en/stable/) for argument parsing and if required arguments are missing it will prompt you.

To authenticate using your MFA token you will need to have a profile configured using regular an AWS Access Key.

We will use that and your MFA token to generate an authorized session profile.
By default we will try to use the `mfa-source` and create the `default` profile.

If you only have a single MFA device set up, it will use that automatically. If you have multiple, it will the first one.

## MFA

```shell
$ aws_auth mfa --help
Usage: aws_auth mfa [OPTIONS]

Options:
  -a, --mfa-arn TEXT          The identification number of the MFA device that
                              is associated with the IAM user. i.e.:
                              "arn:aws:iam::123456789012:mfa/tony.stark". You
                              can find this on the IAM page.
  -c, --code TEXT             The code generated by your MFA device.
  -d, --duration INTEGER      The duration, in seconds, of the session.
  -sp, --source-profile TEXT  What AWS profile to get the session token with.
  -tp, --target-profile TEXT  What AWS profile to store the credentials under.
  -v, --verbose BOOLEAN
  --help                      Show this message and exit.
```

## Assume Role

The assume role is useful for multi-org environments where you want to impersonate a role in a child organization.
If you access multiple organizations I recommend you set up aliases.

```shell
aws_auth assume \
  --role-arn arn:aws:iam::123456789012:role/OrganizationAccountAccessRole \
  --session-name child_org \
  --target-profile child_session
```

```shell
$ aws_auth assume --help
Usage: aws_auth assume [OPTIONS]

  Get MFA authenticated and assumed role session credentials and save them to
  the aws credentials file

  If you have multiple accounts you'd like to switch between, I recommend
  setting up aliases that call this script with predefined arguments.

Options:
  -r, --role-arn TEXT         The Arn of the Role to assume.
  -n, --session-name TEXT     The identifier for the assumed role session.
  -a, --mfa-arn TEXT          The identification number of the MFA device that
                              is associated with the IAM user. i.e.:
                              "arn:aws:iam::123456789012:mfa/tony.stark". You
                              can find this on the IAM page.
  -c, --code TEXT             The code generated by your MFA device.
  -d, --duration INTEGER      The duration, in seconds, of the session.
                              (defaults to 4 hours)
  -sp, --source-profile TEXT  What AWS profile to get the session token with.
  -tp, --target-profile TEXT  What AWS profile to store the credentials under.
  -v, --verbose BOOLEAN
  --help                      Show this message and exit.
```

