如果您使用的是角色,CLI可以爲您管理很多這樣的事情。這裏描述的:http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
在我的任職文件我有:
[my_iam_user]
aws_access_key_id = AKIABLAHBLAHBLAHBLAH
aws_secret_access_key = <blah>
region = us-east-1
[my_admin_role]
role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = my_iam_user
mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user
region = us-east-1
注意mfa_serial
條目。您可以從AWS IAM控制檯中的用戶詳細信息中獲取此值。該條目告訴CLI該角色需要MFA。
當我打電話aws s3 ls --profile my_admin_role
它說Enter MFA code:
,我粘貼代碼後返回列表。
注意:我沒有找到一種方法讓CLI在調用用戶配置文件(--profile my_iam_user
)時詢問MFA,只調用角色配置文件會觸發MFA請求。
外交部令牌然後結轉和用戶配置文件可以作爲很好:
aws sts get-caller-identity --profile my_iam_user
# {
# "Account": "123456789123",
# "UserId": "AIDABLAHBLAHBLAHBLAH",
# "Arn": "arn:aws:iam::123456789123:user/my_iam_user"
# }
aws sts get-caller-identity --profile my_admin_role
# {
# "Account": "123456789123",
# "UserId": "AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890",
# "Arn": "arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890"
# }