Skip to content

Latest commit

 

History

History
61 lines (48 loc) · 2.15 KB

README.md

File metadata and controls

61 lines (48 loc) · 2.15 KB

awsotp

Generates the same MFA code that would be generated by Google Authenticator. It reads the value of mfa_secret from a profile of the AWS credentials file and return the 6 character code used in MFA authentication. The code is also placed into the clipboard.

It takes --profile and --config as arguments, so although it uses the AWS credentials file by default, it can work with any .ini style configuration. All it needs is a file like:

[account1]
mfa_secret = SECRETOFACCOUNT1

[account2]
mfa_secret = SECONDSECRET

Compatible with both Python 2 and 3.

Setup

The script

Needs the onetimepass and pyperclip modules. Both of them can be installed using pip. Both are on GitHub.

onetimepass can be found here: https://github.com/tadeck/onetimepass

pyperclip can be found here: https://github.com/asweigart/pyperclip

The config file

When a new MFA virtual device is being set up in AWS, a screen pops up, like the one below. What we need is the 'secret key for manual configuration'. The QR code actually translates into an otpauth URL containing that secret key.

MFA Activation

The config file (~/.aws/credentials) section (profile) for the above image should looks similar to:

[default]
region = us-east-1
aws_access_key_id = BANANANANANANANPHONE
aws_secret_access_key = OhYesOfCourseThisIsARealSecretStringHere
mfa_secret = B25ARDS3XOTDLKVYBSCQJELZE3Z5DGJV7NIBBRXHUD3TKK5QVEP53JW5US4EYSXH

The config file and Google Authenticator (or whatever else) on the phone can be set up at the same time, so that there's a backup in case one of them isn't working.

The QR code can be generated later using any QR generator. The string that that should be fed to the generator for the mfa_secret above is otpauth://totp/username@awsaccount?secret=B25ARDS3XOTDLKVYBSCQJELZE3Z5DGJV7NIBBRXHUD3TKK5QVEP53JW5US4EYSXH. Where username@awsaccount is going to be interpreted by Google Authenticator as the name to give to the code.

I don't know of a way to do the reverse, extract the code from an already set up Google Authenticator.