Menu
AWS Identity and Access Management
User Guide

Sample Code: Requesting Credentials with Multi-factor Authentication

The following examples show how to call GetSessionTokenRole and AssumeRole and pass MFA authentication. The credentials returned are then used to list all S3 buckets in the account.

Calling GetSessionToken with MFA Authentication (Python and C#)

The following examples, written using the AWS SDK for Python (Boto) and AWS SDK for .NET, show how to call GetSessionToken and pass MFA authentication information. The temporary security credentials returned by GetSessionTokenRole are then used to list all S3 buckets in the account.

The policy attached to the user who runs this code (or to a group that the user is in) is assumed to include an MFA check. The policy also needs to grant the user permission to request the Amazon S3 ListBuckets action.

Using Python

Copy
import boto from boto.s3.connection import S3Connection from boto.sts import STSConnection # Prompt for MFA time-based one-time password (TOTP) mfa_TOTP = raw_input("Enter the MFA code: ") # The calls to AWS STS GetSessionToken must be signed with the access key ID and secret # access key of an IAM user. The credentials can be in environment variables or in # a configuration file and will be discovered automatically # by the STSConnection() function. For more information, see the Python SDK # documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html sts_connection = STSConnection() # Use the appropriate device ID (serial number for hardware device or ARN for virtual device). # Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values. tempCredentials = sts_connection.get_session_token( duration=3600, mfa_serial_number="&region-arn;iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID", mfa_token=mfa_TOTP ) # Use the temporary credentials to list the contents of an S3 bucket s3_connection = S3Connection( aws_access_key_id=tempCredentials.access_key, aws_secret_access_key=tempCredentials.secret_key, security_token=tempCredentials.session_token ) # Replace BUCKET-NAME with an appropriate value. bucket = s3_connection.get_bucket(bucket_name="BUCKET-NAME") objectlist = bucket.list() for obj in objectlist: print obj.name

Using C#

Copy
Console.Write("Enter MFA code: "); string mfaTOTP = Console.ReadLine(); // Get string from user /* The calls to AWS STS GetSessionToken must be signed using the access key ID and secret access key of an IAM user. The credentials can be in environment variables or in a configuration file and will be discovered automatically by the AmazonSecurityTokenServiceClient constructor. For more information, see http://docs.aws.amazon.com/AWSSdkDocsNET/latest/DeveloperGuide/net-dg-config-creds.html */ AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient(); GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest(); getSessionTokenRequest.DurationSeconds = 3600; // Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values getSessionTokenRequest.SerialNumber = "arn:aws:iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID"; getSessionTokenRequest.TokenCode = mfaTOTP; GetSessionTokenResponse getSessionTokenResponse = stsClient.GetSessionToken(getSessionTokenRequest); // Extract temporary credentials from result of GetSessionToken call GetSessionTokenResult getSessionTokenResult = getSessionTokenResponse.GetSessionTokenResult; string tempAccessKeyId = getSessionTokenResult.Credentials.AccessKeyId; string tempSessionToken = getSessionTokenResult.Credentials.SessionToken; string tempSecretAccessKey = getSessionTokenResult.Credentials.SecretAccessKey; SessionAWSCredentials tempCredentials = new SessionAWSCredentials(tempAccessKeyId, tempSecretAccessKey, tempSessionToken); // Use the temporary credentials to list the contents of an S3 bucket // Replace BUCKET-NAME with an appropriate value ListObjectsRequest S3ListObjectsRequest = new ListObjectsRequest(); S3ListObjectsRequest.BucketName = "BUCKET-NAME"; S3Client = AWSClientFactory.CreateAmazonS3Client(tempCredentials); ListObjectsResponse S3ListObjectsResponse = S3Client.ListObjects(S3ListObjectsRequest); foreach (S3Object s3Object in S3ListObjectsResponse.S3Objects) { Console.WriteLine(s3Object.Key); }

Calling AssumeRole with MFA Authentication (Python)

The following example, written using the AWS SDK for Python (Boto), shows how to call AssumeRole and pass MFA authentication information. The temporary security credentials returned by AssumeRole are then used to list all Amazon S3 buckets in the account.

For more information about this scenario, see Scenario: MFA Protection for Cross-Account Delegation.

Copy
import boto from boto.s3.connection import S3Connection from boto.sts import STSConnection # Prompt for MFA time-based one-time password (TOTP) mfa_TOTP = raw_input("Enter the MFA code: ") # The calls to AWS STS AssumeRole must be signed with the access key ID and secret # access key of an IAM user. (The AssumeRole API can also be called using temporary # credentials, but this example does not show that scenario.) # The IAM user credentials can be in environment variables or in # a configuration file and will be discovered automatically # by the STSConnection() function. For more information, see the Python SDK # documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html sts_connection = STSConnection() # Use appropriate device ID (serial number for hardware device or ARN for virtual device) # Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS, ROLE-NAME, and MFA-DEVICE-ID with appropriate values tempCredentials = sts_connection.assume_role( role_arn="arn:aws:iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:role/ROLE-NAME", role_session_name="AssumeRoleSession1", mfa_serial_number="arn:aws:iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID", mfa_token=mfa_TOTP ) # Use the temporary credentials to list the contents of an S3 bucket s3_connection = S3Connection( aws_access_key_id=tempCredentials.credentials.access_key, aws_secret_access_key=tempCredentials.credentials.secret_key, security_token=tempCredentials.credentials.session_token ) # Replace BUCKET-NAME with a real bucket name bucket = s3_connection.get_bucket(bucket_name="BUCKET-NAME") objectlist = bucket.list() for obj in objectlist: print obj.name