{"id":22831560,"url":"https://github.com/phrase/aws-mfa","last_synced_at":"2025-04-23T19:44:12.433Z","repository":{"id":144210344,"uuid":"70123948","full_name":"phrase/aws-mfa","owner":"phrase","description":null,"archived":false,"fork":false,"pushed_at":"2023-02-24T18:15:47.000Z","size":834,"stargazers_count":5,"open_issues_count":2,"forks_count":1,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-03-30T02:51:09.062Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/phrase.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-06T04:55:30.000Z","updated_at":"2019-03-28T16:26:30.000Z","dependencies_parsed_at":null,"dependency_job_id":"85aeb55c-d662-4faa-8a35-4531e64a3b8f","html_url":"https://github.com/phrase/aws-mfa","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phrase%2Faws-mfa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phrase%2Faws-mfa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phrase%2Faws-mfa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phrase%2Faws-mfa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/phrase","download_url":"https://codeload.github.com/phrase/aws-mfa/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250501614,"owners_count":21441049,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-12T20:26:34.926Z","updated_at":"2025-04-23T19:44:12.428Z","avatar_url":"https://github.com/phrase.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# aws-mfa\n\nWrapper for awscli tool to support mfa tokens and also yubikeys.\n\n## Requirements\n\n* awscli (e.g. via `pip install awscli`)\n* yubioauth (if you want to use the automatic-yubioauth feature)\n\n## How it works\n\nThe wrapper makes sure you are always using aws credentials with a valid session tokens and automatically refreshes those after 6 hours by default (you can overwrite it with e.g. `\"aws_duration\":\"12h\"`).\n\n## IAM policy\n\nHere is the IAM policy we use for our `admin` accounts, the only actions accessible without a valid MFA token are `iam:GetUser` (to get information about the current user) and `iam:ListMFADevices` to allow listing the users MFA devices.\n\n\t{\n\t\t\t\"Version\": \"2012-10-17\",\n\t\t\t\"Statement\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\t\t\t\"Action\": \"*\",\n\t\t\t\t\t\t\t\"Resource\": \"*\",\n\t\t\t\t\t\t\t\"Condition\": {\n\t\t\t\t\t\t\t\t\t\"NumericLessThan\": {\n\t\t\t\t\t\t\t\t\t\t\t\"aws:MultiFactorAuthAge\": \"21600\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\t\t\t\"Action\": [\n\t\t\t\t\t\t\t\t\t\"iam:GetUser\",\n\t\t\t\t\t\t\t\t\t\"iam:ListMFADevices\"\n\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\"Resource\": \"*\"\n\t\t\t\t\t}\n\t\t\t]\n\t}\n\n## Configuration\n\n\t# $HOME/.config/aws.phraseapp.json\n\t{\n\t\t\"aws_access_key_id\": \"key\",\n\t\t\"aws_secret_access_key\": \"secret\",\n\t\t\"aws_default_region\": \"eu-west-1\",\n\t\t\"aws_yubikey\": \"AWS PhraseApp\"     // just needed if you want use a yubikey\n\t}\n\n\texport AWS_CREDENTIALS_PATH=$HOME/.config/aws.phraseapp.json\n\taws-mfa iam get-user\n\n\t# or just use an alias like this if you want to make it work with multiple accounts\n\talias aws-phraseapp='AWS_CREDENTIALS_PATH=$HOME/.config/aws.phraseapp.json aws-mfa $@'\n\n\n## Yubikey\n\nIf use a yubikey to store your MFA credentials you can add e.g. `aws_yubikey`: \"AWS PhraseApp\"` to your aws config (this requires that yubioauth is installed) with `AWS PhraseApp` being the name of the MFA sequence on your yubikey.\n\nThe MFA prompt should automatically detect inserted yubikeys and automatically continue. You could still just manually type your MFA token.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphrase%2Faws-mfa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphrase%2Faws-mfa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphrase%2Faws-mfa/lists"}