{"id":21939676,"url":"https://github.com/pbar1/mfaws","last_synced_at":"2025-10-05T15:45:54.889Z","repository":{"id":38456815,"uuid":"142624016","full_name":"pbar1/mfaws","owner":"pbar1","description":"AWS multi-factor authentication manager 🔒","archived":false,"fork":false,"pushed_at":"2025-02-10T17:07:43.000Z","size":4101,"stargazers_count":45,"open_issues_count":4,"forks_count":3,"subscribers_count":3,"default_branch":"develop","last_synced_at":"2025-04-22T15:22:41.508Z","etag":null,"topics":["2fa","amazon-web-services","aws","aws-mfa","aws-sts","awsmfa","mfa","multi-factor-authentication","sts","two-factor-authentication"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pbar1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"pbar1"}},"created_at":"2018-07-27T21:12:32.000Z","updated_at":"2024-11-12T02:19:47.000Z","dependencies_parsed_at":"2025-04-22T15:21:36.189Z","dependency_job_id":"a03b393b-ce89-4e1f-a0d1-983ec1fa4d68","html_url":"https://github.com/pbar1/mfaws","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/pbar1/mfaws","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbar1%2Fmfaws","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbar1%2Fmfaws/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbar1%2Fmfaws/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbar1%2Fmfaws/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pbar1","download_url":"https://codeload.github.com/pbar1/mfaws/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbar1%2Fmfaws/sbom","scorecard":{"id":724717,"data":{"date":"2025-08-11","repo":{"name":"github.com/pbar1/mfaws","commit":"884d86f4bcf4eda60ababc1ec45e107f49be2ca0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.8,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:11","Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yml:12","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.0.10 not signed: https://api.github.com/repos/pbar1/mfaws/releases/184571884","Warn: release artifact 1.0.10-rc4 not signed: https://api.github.com/repos/pbar1/mfaws/releases/184548344","Warn: release artifact 1.0.10-rc3 not signed: https://api.github.com/repos/pbar1/mfaws/releases/184422445","Warn: release artifact 1.0.10-rc2 not signed: https://api.github.com/repos/pbar1/mfaws/releases/184421236","Warn: release artifact 1.0.10-rc1 not signed: https://api.github.com/repos/pbar1/mfaws/releases/184420055","Warn: release artifact v1.0.10 does not have provenance: https://api.github.com/repos/pbar1/mfaws/releases/184571884","Warn: release artifact 1.0.10-rc4 does not have provenance: https://api.github.com/repos/pbar1/mfaws/releases/184548344","Warn: release artifact 1.0.10-rc3 does not have provenance: https://api.github.com/repos/pbar1/mfaws/releases/184422445","Warn: release artifact 1.0.10-rc2 does not have provenance: https://api.github.com/repos/pbar1/mfaws/releases/184421236","Warn: release artifact 1.0.10-rc1 does not have provenance: https://api.github.com/repos/pbar1/mfaws/releases/184420055"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:16"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/pbar1/mfaws/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/pbar1/mfaws/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/pbar1/mfaws/release.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/pbar1/mfaws/release.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/pbar1/mfaws/release.yml/develop?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'develop'","Info: 'force pushes' disabled on branch 'develop'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'develop'","Warn: 'stale review dismissal' is disabled on branch 'develop'","Warn: branch 'develop' does not require approvers","Warn: codeowners review is not required on branch 'develop'","Warn: 'last push approval' is disabled on branch 'develop'","Warn: no status checks found to merge onto branch 'develop'","Info: PRs are required in order to make changes on branch 'develop'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-22T12:25:55.660Z","repository_id":38456815,"created_at":"2025-08-22T12:25:55.661Z","updated_at":"2025-08-22T12:25:55.661Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278477817,"owners_count":25993540,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-05T02:00:06.059Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","amazon-web-services","aws","aws-mfa","aws-sts","awsmfa","mfa","multi-factor-authentication","sts","two-factor-authentication"],"created_at":"2024-11-29T02:26:46.816Z","updated_at":"2025-10-05T15:45:54.836Z","avatar_url":"https://github.com/pbar1.png","language":"Go","readme":"\u003ch1 align=\"center\" style=\"border-bottom: none;\"\u003e:lock: mfaws :lock:\u003c/h1\u003e\n\u003cp align=\"center\"\u003e\u003cb\u003eAWS multi-factor authentication manager\u003c/b\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/pbar1/mfaws/actions/workflows/build.yml\"\u003e\n    \u003cimg alt=\"Build Status\" src=\"https://github.com/pbar1/mfaws/actions/workflows/build.yml/badge.svg\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/pbar1/mfaws/releases/latest\"\u003e\n    \u003cimg alt=\"GitHub release\" src=\"https://img.shields.io/github/release/pbar1/mfaws.svg\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/pbar1/mfaws\"\u003e\n    \u003cimg alt=\"Go Report Card\" src=\"https://goreportcard.com/badge/github.com/pbar1/mfaws\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./.github/assets/example.svg\"/\u003e\n\u003c/p\u003e\n\n## Installation\n\n[![Packaging status](https://repology.org/badge/vertical-allrepos/mfaws.svg)](https://repology.org/project/mfaws/versions)\n\n| Package Manager       | Install Command                                                                                |\n|-----------------------|------------------------------------------------------------------------------------------------|\n| [Manual][p_man]       | Download the binary for your system from the releases page                                     |\n| [Nix (flake)][p_nix]  | `nix run github:pbar1/mfaws --`                                                                |\n| [Docker][p_docker]    | `docker pull ghcr.io/pbar1/mfaws:latest`                                                       |\n| [Go][p_go]            | `go install github.com/pbar1/mfaws@latest`                                                     |\n| [Homebrew][p_tap]     | `brew tap pbar1/tap`\u003cbr\u003e `brew install pbar1/tap/mfaws`                                        |\n| [Scoop][p_scoop]      | `scoop bucket add pbar1 https://github.com/pbar1/scoop-bucket`\u003cbr\u003e `scoop install pbar1/mfaws` |\n| [Chocolatey][p_choco] | `choco install mfaws`                                                                          |\n| [AUR][p_aur]          | `yay -S mfaws-bin`                                                                             |\n\n## How to use\n\n### CLI help\n\n\u003cdetails\u003e\n\u003csummary\u003eExpand to see \u003ccode\u003emfaws --help\u003c/code\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\u003cpre\u003e\nAWS Multi-Factor Authentication Manager\u003cbr\u003e\n\nUsage:\n\u0026nbsp;\u0026nbsp;mfaws [flags]\n\u0026nbsp;\u0026nbsp;mfaws [command]\n\nAvailable Commands:\n\u0026nbsp;\u0026nbsp;completion  Generate the autocompletion script for the specified shell\n\u0026nbsp;\u0026nbsp;help        Help about any command\n\u0026nbsp;\u0026nbsp;version     Prints mfaws version information\n\nFlags:\n\u0026nbsp;\u0026nbsp;-a, --assume-role string         ARN of IAM role to assume [MFA_ASSUME_ROLE]\n\u0026nbsp;\u0026nbsp;-c, --credentials-file string    Path to AWS credentials file (default \"~/.aws/credentials\") [AWS_SHARED_CREDENTIALS_FILE]\n\u0026nbsp;\u0026nbsp;-d, --device string              ARN of MFA device to use [MFA_DEVICE]\n\u0026nbsp;\u0026nbsp;-l, --duration int               Duration in seconds for credentials to remain valid (default assume-role ? 3600 : 43200) [MFA_STS_DURATION]\n\u0026nbsp;\u0026nbsp;-e, --external-id string         Unique ID used by third parties to assume a role in their customers' accounts [AWS_EXTERNAL_ID]\n\u0026nbsp;\u0026nbsp;-f, --force                      Force credentials to refresh even if not expired\n\u0026nbsp;\u0026nbsp;-h, --help                       help for mfaws\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;--long-term-suffix string    Suffix appended to long-term profiles (default \"-long-term\")\n\u0026nbsp;\u0026nbsp;-p, --profile string             Name of profile to use in AWS credentials file (default \"default\") [AWS_PROFILE]\n\u0026nbsp;\u0026nbsp;-s, --role-session-name string   Session name when assuming a role\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;--short-term-suffix string   Suffix appended to short-term profiles (default \"\")\n\u0026nbsp;\u0026nbsp;-t, --token string               MFA token to use for authentication\n\u0026nbsp;\u0026nbsp;-v, --verbose                    Enable verbose output\n\nUse \"mfaws [command] --help\" for more information about a command.\n\u003c/pre\u003e\n\u003c/details\u003e\n\n### Setup and usage\n\n`mfaws` works by looking for AWS credentials and an MFA device ARN in profiles suffixed with `-long-term`. It uses those credentials as well as a TOTP code supplied by the user to make an `AssumeRole` call. The outcome of this is another set of short-lived credentials scoped to the role session. These short lived credentials are stored in a separate profile in the credentials file without the `-long-term` suffix.\n\nFor example, your `~/.aws/credentials` file should look similar to this. Here we are using the profile `default-long-term`:\n\n```ini\n[default-long-term]\naws_access_key_id     = $YOUR_AWS_ACCESS_KEY_ID\naws_secret_access_key = $YOUR_AWS_SECRET_ACCESS_KEY\naws_mfa_device        = $YOUR_MFA_DEVICE_ARN\n```\n\nThen, simply run the following, and enter the MFA token when prompted:\n\n```sh\n$ mfaws\n```\n\nIf that is sucessful, it will create a another profile in the credentials file called `default` that contains the session-scoped creds:\n\n```diff\n [default-long-term]\n aws_access_key_id     = $YOUR_AWS_ACCESS_KEY_ID\n aws_secret_access_key = $YOUR_AWS_SECRET_ACCESS_KEY\n aws_mfa_device        = $YOUR_MFA_DEVICE_ARN\n\n+[default]\n+aws_access_key_id     = ...\n+aws_secret_access_key = ...\n+aws_session_token     = ...\n```\n\nIn this example we used `default` because it is what tools such as the AWS SDK and `aws` CLI load by default when no profile is specified. Using other profiles is also like so: `mfaws -p myprofile`, which will result in the following:\n\n```diff\n [myprofile-long-term]\n aws_access_key_id     = $YOUR_AWS_ACCESS_KEY_ID\n aws_secret_access_key = $YOUR_AWS_SECRET_ACCESS_KEY\n aws_mfa_device        = $YOUR_MFA_DEVICE_ARN\n\n+[myprofile]\n+aws_access_key_id     = ...\n+aws_secret_access_key = ...\n+aws_session_token     = ...\n```\n\n## Examples\n\n\u003e [!NOTE]\n\u003e Make sure your hardware clock is correct, [especially if dual booting](https://wiki.archlinux.org/index.php/Time#UTC_in_Windows). If your time is out of sync, codes generated on your machine will be wrong and your MFA attempts will fail.\n\n### Combine with [`oathtool`](https://www.nongnu.org/oath-toolkit/)\n\n\u003e [!CAUTION]\n\u003e While convenient, it's generally not advisable to save the MFA *secret key* to disk, since it does not expire.\n\nYou can use `oathtool` to get TOTP codes directly in the CLI without having to copy them from elsewhere. `mfaws` can receive a TOTP code piped from stdin:\n\n```sh\noathtool --totp --base32 $YOUR_AWS_TOTP_KEY | mfaws\n```\n\n### Combine with [1Password CLI](https://developer.1password.com/docs/cli/)\n\nYou can get TOTP codes from MFA keys that you've saved in your 1Password account. This has the advantage of not leaking the secret to disk. In this example, we're requesting a TOTP code from an item called `AWS` in our 1Password account and piping it into `mfaws`:\n\n```sh\nop item get AWS --otp | mfaws\n```\n\n### Combine with [HashiCorp Vault](https://developer.hashicorp.com/vault/docs/secrets/totp) TOTP secrets engine\n\nSimilar to the above examples, you can request a TOTP code from HashiCorp Vault. In this example, we've enabled the TOTP secret engine and previously saved our MFA secret as an item called `my-aws-totp-secret`. Simply use the Vault CLI to read just the `code` field from that secret: \n\n```\nvault read -field=code totp/code/my-aws-totp-secret | mfaws\n```\n\n\u003c!-- Sources --\u003e\n\n[p_man]: https://github.com/pbar1/mfaws/releases\n[p_nix]: https://github.com/pbar1/mfaws/blob/develop/flake.nix\n[p_docker]: https://github.com/pbar1/mfaws/pkgs/container/mfaws\n[p_go]: https://pkg.go.dev/github.com/pbar1/mfaws\n[p_tap]: https://github.com/pbar1/homebrew-tap/blob/main/mfaws.rb\n[p_scoop]: https://github.com/pbar1/scoop-bucket/blob/master/bucket/mfaws.json\n[p_choco]: https://community.chocolatey.org/packages/mfaws\n[p_aur]: https://aur.archlinux.org/packages/mfaws-bin","funding_links":["https://github.com/sponsors/pbar1"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpbar1%2Fmfaws","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpbar1%2Fmfaws","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpbar1%2Fmfaws/lists"}