Was only vaguely aware there was a CLI version of 1P until recently.
Most of the AWS accounts I deal with only require MFA for the web console login, not for api/sdk credentials. A few weeks ago I was given a new account to work with that has MFA turned on for both. I thought it was going to be a huge pain, and it would be easier can we please just turn off MFA for the access_key+secret_key auth?
I started digging into the AWS docs, and looking at how to deal with the OTP that lives in 1P. Obviously, there's no reasonable way to write a useful script, or use tools like Terraform, when faced with an MFA that
Turns out the 1P cli tool is pretty dang easy to work with. It's probably the least complicated part of my
aws-mfa-login shell script. It checks for a valid session, gets the TOTP (asks for 1P password), fetches the tokens from AWS and caches them. AWS limits the cached token's validity to 36 hours, but that's more than enough. Next time, just run
aws-mfa-login - the only thing needed is to respond to the 1P vault password prompt about once/day. Surprisingly straightforward.
I'm sure the CLI (and Linux versions) only see a tiny fraction of the usage of their desktop counterparts, but dang has the CLI made my job way easier. Hope you guys know the effort is appreciated and hasn't been for nothing.
Sidenote: one of the things I learned from this is that your
~/.aws/config will happily store arbitrary key/value pairs. This means you can have your 1P item uuid with the aws credential profile, so that it's available to be given to the 1P CLI in a script automagically.
1Password Version: 1.12.3 CLI
Extension Version: Not Provided
OS Version: macOS 11.5.2