From ce0d13814e1422e4f0796ecfc36c2d53749c5074 Mon Sep 17 00:00:00 2001 From: Russell Davies Date: Wed, 15 May 2024 23:11:09 +0200 Subject: [PATCH] Update Yubikey scripts to support device name --- contrib/scripts/aws-iam-create-yubikey-mfa.sh | 15 ++++++++++++--- contrib/scripts/aws-iam-resync-yubikey-mfa.sh | 11 ++++++++--- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/contrib/scripts/aws-iam-create-yubikey-mfa.sh b/contrib/scripts/aws-iam-create-yubikey-mfa.sh index 76f0bf2ff..3c6c96b3e 100755 --- a/contrib/scripts/aws-iam-create-yubikey-mfa.sh +++ b/contrib/scripts/aws-iam-create-yubikey-mfa.sh @@ -1,6 +1,7 @@ #!/bin/sh -# Adds a Yubikey TOTP device to IAM using your IAM User as the $MFA_DEVICE_NAME -# Currently, aws iam enable-mfa-device doesn't support specifying your MFA Device Name. +# Adds a Yubikey TOTP device to IAM user. +# By default the device name is set to "YubiKey-" but can be +# overridden with the $MFA_DEVICE_NAME environment variable. set -eu @@ -9,6 +10,11 @@ if [ -n "${AWS_SESSION_TOKEN:-}" ]; then exit 1 fi +if [ -z "${MFA_DEVICE_NAME:-}" ]; then + MFA_DEVICE_NAME=YubiKey-$(ykman list --serials | tr -d '\n') +fi + + ACCOUNT_ARN=$(aws sts get-caller-identity --query Arn --output text) # Assume that the final portion of the ARN is the username @@ -19,7 +25,7 @@ OUTFILE=$(mktemp) trap 'rm -f "$OUTFILE"' EXIT SERIAL_NUMBER=$(aws iam create-virtual-mfa-device \ - --virtual-mfa-device-name "$USERNAME" \ + --virtual-mfa-device-name "$MFA_DEVICE_NAME" \ --bootstrap-method Base32StringSeed \ --outfile "$OUTFILE" \ --query VirtualMFADevice.SerialNumber \ @@ -40,3 +46,6 @@ aws iam enable-mfa-device \ --serial-number "$SERIAL_NUMBER" \ --authentication-code1 "$CODE1" \ --authentication-code2 "$CODE2" + +echo "mfa_serial = $SERIAL_NUMBER" +echo "mfa_process = ykman oath accounts code --single $SERIAL_NUMBER" diff --git a/contrib/scripts/aws-iam-resync-yubikey-mfa.sh b/contrib/scripts/aws-iam-resync-yubikey-mfa.sh index 4ce8d6519..e9cc25f8e 100755 --- a/contrib/scripts/aws-iam-resync-yubikey-mfa.sh +++ b/contrib/scripts/aws-iam-resync-yubikey-mfa.sh @@ -1,9 +1,14 @@ #!/bin/sh -# Resync a Yubikey TOTP device to IAM using your IAM User as the $MFA_DEVICE_NAME -# Currently, aws iam resync-mfa-device doesn't support specifying your MFA Device Name. +# Resync a Yubikey TOTP device to IAM user +# By default the device name is set to "YubiKey-" but can be +# overridden with the $MFA_DEVICE_NAME environment variable. set -eu +if [ -z "${MFA_DEVICE_NAME:-}" ]; then + MFA_DEVICE_NAME="YubiKey-$(ykman list --serials | tr -d '\n')" +fi + ACCOUNT_ARN=$(aws sts get-caller-identity --query Arn --output text) # Assume that the final portion of the ARN is the username @@ -11,7 +16,7 @@ ACCOUNT_ARN=$(aws sts get-caller-identity --query Arn --output text) USERNAME=$(echo "$ACCOUNT_ARN" | rev | cut -d/ -f1 | rev) ACCOUNT_ID=$(echo "$ACCOUNT_ARN" | cut -d: -f5) -SERIAL_NUMBER="arn:aws:iam::${ACCOUNT_ID}:mfa/${USERNAME}" +SERIAL_NUMBER="arn:aws:iam::${ACCOUNT_ID}:mfa/${MFA_DEVICE_NAME}" CODE1=$(ykman oath accounts code -s "$SERIAL_NUMBER")