Generates the same MFA code that would be generated by Google Authenticator.
It reads the value of mfa_secret
from a profile of the AWS credentials file
and return the 6 character code used in MFA authentication. The code is also
placed into the clipboard.
It takes --profile
and --config
as arguments, so although it uses the AWS
credentials file by default, it can work with any .ini style configuration.
All it needs is a file like:
[account1]
mfa_secret = SECRETOFACCOUNT1
[account2]
mfa_secret = SECONDSECRET
Compatible with both Python 2 and 3.
Needs the onetimepass
and pyperclip
modules. Both of them can be installed
using pip. Both are on GitHub.
onetimepass
can be found here: https://github.com/tadeck/onetimepass
pyperclip
can be found here: https://github.com/asweigart/pyperclip
When a new MFA virtual device is being set up in AWS, a screen pops up, like the one below. What we need is the 'secret key for manual configuration'. The QR code actually translates into an otpauth URL containing that secret key.
The config file (~/.aws/credentials) section (profile) for the above image should looks similar to:
[default]
region = us-east-1
aws_access_key_id = BANANANANANANANPHONE
aws_secret_access_key = OhYesOfCourseThisIsARealSecretStringHere
mfa_secret = B25ARDS3XOTDLKVYBSCQJELZE3Z5DGJV7NIBBRXHUD3TKK5QVEP53JW5US4EYSXH
The config file and Google Authenticator (or whatever else) on the phone can be set up at the same time, so that there's a backup in case one of them isn't working.
The QR code can be generated later using any QR generator. The string that
that should be fed to the generator for the mfa_secret above is
otpauth://totp/username@awsaccount?secret=B25ARDS3XOTDLKVYBSCQJELZE3Z5DGJV7NIBBRXHUD3TKK5QVEP53JW5US4EYSXH
.
Where username@awsaccount
is going to be interpreted by Google Authenticator
as the name to give to the code.
I don't know of a way to do the reverse, extract the code from an already set up Google Authenticator.