将AWS CLI切换到启用了MFA的跨帐户 [英] Switch aws cli to cross account with mfa enabled

问题描述

是否可以通过启用了MFA的AWS凭证访问交叉帐户?

Is there a way to access cross account from aws credential which has mfa enabled?

我能够从aws管理控制台切换帐户，我想从cli进行同样的操作.

I am able to switch account from aws management console, I want to do the same from cli.

根据下面的链接尝试更新.aws/config文件.

Tried updating .aws/config file as per the link below.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html

遇到错误:找不到配置文件(CrossAccountSignin).请指教.

Getting an error: The config profile (CrossAccountSignin) could not be found. Please advice.

推荐答案

这有两部分-〜/.aws/credentials 文件和〜/.aws/config文件.

There are two parts to this - the ~/.aws/credentials file and the ~/.aws/config file.

假设您的帐户 987654321098 中有一个IAM用户 my-user-id ，并想承担一个名为 my-assumed-role 的角色>帐户 0123456789012

Lets say you have an IAM user my-user-id in account 987654321098 and want to assume a role called my-assumed-role in account 0123456789012

〜/.aws/credentials 文件包含具有IAM命令行用户凭据的配置文件-访问密钥ID和秘密访问密钥-来自 my-user-id .例如:

The ~/.aws/credentials file contains a profile with the IAM Command Line User credentials - access key id and secret access key - from my-user-id. For example:

[default]
aws_access_key_id=AKIAABCDEFGHIJKLMNOPQR
aws_secret_access_key=SeCrEtKeY
region=ap-southeast-2
output=json

〜/.aws/config 文件包含具有交叉帐户角色的ARN和IAM用户的MFA序列号以及其他任何会话选项的配置文件.例如:

The ~/.aws/config file contains a profile with the ARN of the cross account role and the IAM User's MFA serial number, along with any other session options. For example:

[profile cross-account-role]
role_arn = arn:aws:iam::123456789012:role/my-assumed-role
source_profile = default
mfa_serial = arn:aws:iam::987654321098:mfa/my-user-id
region=ap-southeast-2
s3 = 
    signature_version = s3v4
role_session_name = my-session

要使用CLI承担交叉帐户角色，我们在〜/.aws/config 中附加角色的配置文件，例如-profile cross-account-role 到命令.

To assume the cross account role with the CLI we append the profile of the role from ~/.aws/config e.g. --profile cross-account-role to the command.

由于默认为 source_profile ，它将使用IAM用户 my-user-id 和MFA的凭据从帐户 987654321098 到承担目标帐户 0123456789012

As the source_profile is default, it will use the credentials of the IAM user my-user-id with MFA from account 987654321098 to assume the my-assumed-role role in the target account 0123456789012

例如

myuser@myost:~$ aws sts get-caller-identity --profile cross-account-role
Enter MFA code for arn:aws:iam::987654321098:mfa/my-user-id:
{
    "UserId": "AROAABCDEFGHIJKLMNOPQR:my-user-id",
    "Account": "0123456789012",
    "Arn": "arn:aws:sts::0123456789012:assumed-role/my-assumed-role/my-session"
}

CLI将提示您输入MFA代码，然后提供输出.默认情况下，该会话将持续60分钟，并被缓存.在此期间，任何其他CLI命令都无需再次提示输入MFA代码.

The CLI will prompt you to enter your MFA code and then provide the output. The session will last by default for 60 minutes and it is cached. During this time the any further CLI commands will not need to prompt again for a MFA code.

这篇关于将AWS CLI切换到启用了MFA的跨帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！