AWSMFAProfile

1.0.1

AWSMFAProfile.psm1

                                function Set-AWSMFAProfile {

<#

.SYNOPSIS

Performs AWS STS authentication with MFA token for cross account.

.DESCRIPTION

The Set-AWSMFAProfile updates the local AWS crendential for cross account

by using the STS.

.PARAMETER ParentProfile

Specifies the central/master account that login to the AWS. Set the Default

profile with Access key/Secret key or set desired profile name and ensure that the desired profile

name is provided when using the ParentProfile parameter.

.PARAMETER DeviceARN

Specifies the MFA device ARN.

The ARN is located in IAM > My security credentials > Assigned MFA device.

.PARAMETER SessionName

Specifies the name when calling the STS authentication API.

.PARAMETER StoreAs

Specifies the target AWS account to assume as cross account.

.PARAMETER RoleARN

Specifies the assumed role ARN which has authorize to the target AWS account.

.PARAMETER MFAToken

Specifies the one-time 6 digits code generated by the MFA device/authenticator.

.PARAMETER Duration

Specifies the expiration time in seconds where the STS token can last.

Default is 4 hours but can be set longer duration depends on the IAM policy.

.INPUTS

None. You cannot pipe objects to Set-AWSMFAProfile.ps1.

.OUTPUTS

Set-AWSMFAProfile.ps1 output if the authentication is successed.

.EXAMPLE

PS> Set-AWSCredential -AccessKey <YOURACCESSKEY> -SecretKey <YOURSECRETKEY>

PS> Set-AWSMFAProfile -DeviceARN "arn:aws:iam::123456789123:mfa/johndoe@contoso.com" -SessionName "john" -StoreAs "NorthWindTraders" -RoleARN "arn:aws:iam::9876543219876:role/CrossAccountRole" -MFAToken 123456

PS> Get-EC2Instance -ProfileName "NorthWindTraders" -Region "ap-southeast-2"

1. The defualt credential is defined.

2. Cross account access to "NorthWindTraders (9876543219876)" with "CrossAccountRole" assumed role and stored under "NorthWindTraders" profile name.

3. Retrieve EC2 instances from "NorthWindTraders" account.

.EXAMPLE

PS> Set-AWSCredential -AccessKey <YOURACCESSKEY> -SecretKey <YOURSECRETKEY> -StoreAs "Contoso"

PS> Set-AWSMFAProfile -DeviceARN "arn:aws:iam::123456789123:mfa/johndoe@contoso.com" -SessionName "john" -StoreAs "NorthWindTraders" -RoleARN "arn:aws:iam::9876543219876:role/CrossAccountRole" -ParentProfile "Contoso" -Duration 25200 -MFAToken 123456

PS> Get-EC2Instance -ProfileName "NorthWindTraders" -Region "ap-southeast-2"

1. Set "Contoso" profile name as parent/master account which used to login to AWS.

2. Cross account access to "NorthWindTraders (9876543219876)" with "CrossAccountRole" assumed role and stored under "NorthWindTraders" profile name by using "Contoso" as parent/master profile where the session is expired after 7 hours.

3. Retrieve EC2 instances from "NorthWindTraders" account.

#>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact='Medium')]

    param (

        [Parameter(Mandatory = $True)]

        [string]$DeviceARN,

        [Parameter(Mandatory = $True)]

        [string]$SessionName,

        [Parameter(Mandatory = $True)]

        [string]$StoreAs,

        [Parameter(Mandatory = $True)]

        [string]$RoleARN,

        [Parameter(Mandatory = $True)]

        [string]$MFAToken,

        $ParentProfile = "default",

        [int]$Duration = 14400

    )

    begin {

        try {

            # Importing necessory modules

            Import-Module -Name "AWSPowerShell" -ErrorAction SilentlyContinue

            Import-Module -Name "AWS.Tools.Common" -ErrorAction SilentlyContinue

            Import-Module -Name "AWS.Tools.SecurityToken" -ErrorAction SilentlyContinue

            # Double check if the required commands are present

            Get-Command -Name Use-STSRole | Out-Null

            Get-Command -Name Set-AWSCredential | Out-Null

        }

        catch {

            Write-Error $PSItem.ToString()

            break

        }

    }

    process {

        # Beginning of the process

        if ($PSCmdlet.ShouldProcess("Updates the '$StoreAs' profile with new temporary STS token credential")) {

            try {

                # Cleanup STSCred variable and ensure it is not set

                Clear-Variable -Name STSCred -ErrorAction SilentlyContinue

                # Getting the temporary STS token

                $STSCred = Use-STSRole `

                    -SerialNumber $DeviceARN `

                    -RoleArn $RoleARN `

                    -RoleSessionName $SessionName `

                    -DurationInSeconds $Duration `

                    -ProfileName $ParentProfile `

                    -TokenCode $MFAToken

                Write-Output "Temporary session token for '$StoreAs' is generated successfully."

                # If the temprary token is able generated, proceed

                if ($STSCred) {

                    # Update/Overwirte the profile session in local AWS credential file

                    Set-AWSCredential `

                        -StoreAs $StoreAs `

                        -AccessKey $STSCred.Credentials.AccessKeyId `

                        -SecretKey $STSCred.Credentials.SecretAccessKey `

                        -SessionToken $STSCred.Credentials.SessionToken

                    Write-Output "Profile '$StoreAs' is successfully updated in local AWS credential."

                }

                else {

                    Write-Output "Temporary session token for '$StoreAs'is failed to generated."

                }

            }

            catch {

                Write-Error $PSItem.ToString()

                break

            }

        }

    }

    end {

    }

}

Export-ModuleMember -Function Set-AWSMFAProfile