AWSMFAProfile.psm1
|
function Set-AWSMFAProfile { <# .SYNOPSIS Performs AWS STS authentication with MFA token for cross account. .DESCRIPTION The Set-AWSMFAProfile updates the local AWS crendential for cross account by using the STS. .PARAMETER ParentProfile Specifies the central/master account that login to the AWS. Set the Default profile with Access key/Secret key or set desired profile name and ensure that the desired profile name is provided when using the ParentProfile parameter. .PARAMETER DeviceARN Specifies the MFA device ARN. The ARN is located in IAM > My security credentials > Assigned MFA device. .PARAMETER SessionName Specifies the name when calling the STS authentication API. .PARAMETER StoreAs Specifies the target AWS account to assume as cross account. .PARAMETER RoleARN Specifies the assumed role ARN which has authorize to the target AWS account. .PARAMETER MFAToken Specifies the one-time 6 digits code generated by the MFA device/authenticator. .PARAMETER Duration Specifies the expiration time in seconds where the STS token can last. Default is 4 hours but can be set longer duration depends on the IAM policy. .INPUTS None. You cannot pipe objects to Set-AWSMFAProfile.ps1. .OUTPUTS Set-AWSMFAProfile.ps1 output if the authentication is successed. .EXAMPLE PS> Set-AWSCredential -AccessKey <YOURACCESSKEY> -SecretKey <YOURSECRETKEY> PS> Set-AWSMFAProfile -DeviceARN "arn:aws:iam::123456789123:mfa/johndoe@contoso.com" -SessionName "john" -StoreAs "NorthWindTraders" -RoleARN "arn:aws:iam::9876543219876:role/CrossAccountRole" -MFAToken 123456 PS> Get-EC2Instance -ProfileName "NorthWindTraders" -Region "ap-southeast-2" 1. The defualt credential is defined. 2. Cross account access to "NorthWindTraders (9876543219876)" with "CrossAccountRole" assumed role and stored under "NorthWindTraders" profile name. 3. Retrieve EC2 instances from "NorthWindTraders" account. .EXAMPLE PS> Set-AWSCredential -AccessKey <YOURACCESSKEY> -SecretKey <YOURSECRETKEY> -StoreAs "Contoso" PS> Set-AWSMFAProfile -DeviceARN "arn:aws:iam::123456789123:mfa/johndoe@contoso.com" -SessionName "john" -StoreAs "NorthWindTraders" -RoleARN "arn:aws:iam::9876543219876:role/CrossAccountRole" -ParentProfile "Contoso" -Duration 25200 -MFAToken 123456 PS> Get-EC2Instance -ProfileName "NorthWindTraders" -Region "ap-southeast-2" 1. Set "Contoso" profile name as parent/master account which used to login to AWS. 2. Cross account access to "NorthWindTraders (9876543219876)" with "CrossAccountRole" assumed role and stored under "NorthWindTraders" profile name by using "Contoso" as parent/master profile where the session is expired after 7 hours. 3. Retrieve EC2 instances from "NorthWindTraders" account. #> [CmdletBinding()] param ( [Parameter(Mandatory = $True)] [string]$DeviceARN, [Parameter(Mandatory = $True)] [string]$SessionName, [Parameter(Mandatory = $True)] [string]$StoreAs, [Parameter(Mandatory = $True)] [string]$RoleARN, [Parameter(Mandatory = $True)] [int]$MFAToken, $ParentProfile = "default", [int]$Duration = 14400 ) begin { try { Import-Module -Name "AWSPowerShell" -ErrorAction SilentlyContinue Import-Module -Name "AWS.Tools.Common" -ErrorAction SilentlyContinue Import-Module -Name "AWS.Tools.SecurityToken" -ErrorAction SilentlyContinue Get-Command -Name Use-STSRole | Out-Null Get-Command -Name Set-AWSCredential | Out-Null } catch { Write-Error $PSItem.ToString() break } } process { try { $STSCred = Use-STSRole ` -SerialNumber $DeviceARN ` -RoleArn $RoleARN ` -RoleSessionName $SessionName ` -DurationInSeconds $Duration ` -ProfileName $ParentProfile ` -TokenCode $MFAToken Write-Output "Temporary session token for '$StoreAs'is generated successfully." Set-AWSCredential ` -StoreAs $StoreAs ` -AccessKey $STSCred.Credentials.AccessKeyId ` -SecretKey $STSCred.Credentials.SecretAccessKey ` -SessionToken $STSCred.Credentials.SessionToken Write-Output "Profile '$StoreAs' is successfully updated in local AWS Credential." } catch { Write-Error $PSItem.ToString() break } } end { } }] Export-ModuleMember -Function Set-AWSMFAProfile |