• Join Us
  • Contact Us
  • Client Login
  • Take the CMI
Blue Sentry
  • Home
  • About
  • Solutions
  • Successes
  • Insights
    • Blue Sentry Blog
    • Newsroom
    • Live Events
    • Join Us
Select Page

Maintaining MFA-Based AWS Cross-Account Credentials

by Brad Campbell | Jun 10, 2016 | Amazon Web Services, Cloud Technology, Uncategorized | 0 comments

Maintaining MFA-Based AWS Cross-Account Credentials
Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin

AWS’ CLI tools provide a powerful set of tools when working with large batch jobs or even simpler day-to-day tasks. When I recently found myself tasked to convert 100+ virtual machine images, totaling over 6TB of data, into AWS AMIs, my first thought was “write a script!”. This ultimately presented a bit of a hurdle in that cross-account credentials expire every hour and must be renewed, especially with long-running processes.

After moving all the images into S3 from a Snowball export, I cooked up a quick shell script to start invoking the ec2-import-image command against the images. The first hiccup occurred upon my discovery that only 20 image import tasks can be running at any one time in an account. Once I had refactored my tooling to accommodate this, it was off to the races… sort of. Since these tasks take a while to run, naturally I wanted to check on their process periodically. The ec2-describe-import-image-tasks command provided some nice output, including overall status as well as a percentage-based indication of the progress. I fed this output into a jq filter, which would at a quick glance give me some nice high-level output regarding batch status (which I’ll cover in a future post). So, after kicking off my first batch and getting a feel for how often to check back, I grabbed some dinner. When I came back to check, I re-ran the describe-import-image-tasks command I ran earlier: creds expired!

Annoyingly, I was forced every hour to refresh my credential tokens. This meant running the sts assume-role command whenever my credentials had expired, copying the output out of the terminal and into my .aws/credentials file, saving the file, and re-running my initial command. Not cool. To circumvent the issue, I wrote a shell script that automates the retrieval of the new credentials and updates your .aws/credentials file for you. The upshot? Now you can chain this command with other commands. It is designed to work with accounts where you are required to use an MFA token, since this wouldn’t be explicitly required if tokens weren’t being used. We have started a repo where we’ll place tools like this moving forward; the script is already in the repo (look in the IAM directory): so head over to our GitHub tools repo, clone it, and make managing your cross-account credentials requiring tokens way easy!

Submit a Comment Cancel reply

You must be logged in to post a comment.

Follow Us

Facebook   Twitter   LinkedIn

Recent Posts

  • Five Reasons to Bring the “Scalable Cloud” To Your Business
  • Blue Sentry Achieves Premier Consulting Partner Status in Amazon Web Services Partner Network
  • Five Ways to Ensure Your Cloud Workload is Well Architected
  • Case Study: How Blue Sentry Uses VictorOps for Incident Management
  • The Cloud Center of Excellence: Cloud City

Archives

  • January 2019
  • November 2018
  • October 2018
  • August 2018
  • July 2018
  • March 2018
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • December 2016
  • November 2016
  • October 2016
  • August 2016
  • July 2016
  • June 2016
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014

Categories

  • Accounting Firms
  • All Firms
  • Amazon Alexa
  • Amazon Web Services
  • Case Studies
  • CI/CD
  • Cloud Center of Excellence
  • Cloud Commuting
  • Cloud Technology
  • Cloud Transformation
  • DevOps
  • Featured
  • High Performance Applications
  • Home Page
  • Internet of Things
  • Law Firms
  • Managed Service Provider
  • Microsoft Azure
  • Newsroom
  • Professional Firms
  • Remote Work Experience
  • S3
  • Security & Compliance
  • Terraform
  • Testimonials
  • Uncategorized
  • Videos
  • White Papers

Solutions

  • Solutions Home

Successes

  • Case Studies

Insights

  • Blue Sentry Blog
  • Newsroom
  • Live Events
  • Join Us

Blue Sentry. Elevating Business to Amazon Cloud.

Amazon Web Services

  • Facebook
  • Twitter
  • Google

Designed by Elegant Themes | Powered by WordPress

Blue Sentry
  • Home
  • About
  • Solutions
  • Successes
  • Insights
    ▼
    • Blue Sentry Blog
    • Newsroom
    • Live Events
    • Join Us