I am following this thred (How to use MFA with AWS CLI?) using session token is a good workaround.
I see this use case works for dev/individual users that are standby to provide MFA. What about the prod or QA environments that needs automated deployments or executions? It is not viable to have MFA for those pipelines. Does anyone know a workaround? or just we need to have service account without access to console for this purpose? Those service account should not be assigned with this role?
Regards, Sai Teja
there are different way to assume role in AWS. if you are using linux
You need to define below variables or directly put it in bash:
export ACCIOUNT_NO=xxxx
export ROLE_NAME=xxxx
export REGION=xxxx
export SOURCE_ACCOUNT_NO=xxxx
export USER_NAME=xxxx
export MFACODE=xxxx
export PROFILE=xxxx
it will be your profile while assuming role
KST=(`aws sts assume-role --role-arn arn:aws:iam::${ACCIOUNT_NO}:role/${ROLE_NAME} \
--role-session-name "temp_assume_role" \
--profile $PROFILE \
--region ${REGION} \
--serial-number arn:aws:iam::${SOURCE_ACCOUNT_NO}:mfa/${USER_NAME} \
--token-code $MFACODE \
--query "[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]" \
--output text`)
aws_access_key_id="${KST[0]}"
aws_secret_access_key="${KST[1]}"
aws_session_token="${KST[2]}"
if you are using windows you can use above commands
$Creds = (Use-STSRole -RoleArn $Env:Role_ARN -RoleSessionName temp_assume_role -ProfileName $Env:PROFILE -SerialNumber $Env:MFAARN -TokenCode $Env:MFACODE ).Credentials
$Env:AWS_ACCESS_KEY_ID=($Creds.AccessKeyId)
$Env:AWS_SECRET_ACCESS_KEY=($Creds.SecretAccessKey)
$Env:AWS_SESSION_TOKEn=($Creds.SessionToken)
write-host("Testing the connection")
aws sts get-caller-identity
Note: for windows you should be able to AWScli