Log in users with MFA enabled - AWS CloudHSM

Log in users with MFA enabled

Follow these steps to log in users with MFA enabled.

  1. Use the login mfa-token-sign command in CloudHSM CLI to start the login process with MFA for a user who has MFA enabled.

    aws-cloudhsm > login --username <USERNAME> --role <ROLE> mfa-token-sign --token unsigned-tokens.json Enter password:
  2. Enter your password. You will then be prompted to enter the path to the token file which contains unsigned/signed token pairs, where signed tokens are those generated by using your private key.

    aws-cloudhsm > login --username <USERNAME> --role <ROLE> mfa-token-sign --token unsigned-tokens.json Enter password: Enter signed token file path (press enter if same as the unsigned token file):
  3. While prompted to enter the signed token file path, you can inspect the unsigned token file in a separate terminal. Identify the file with unsigned tokens that need to be signed: unsigned-tokens.json. The number of tokens in this file depends on the number of HSMs in your cluster. Each token represents one HSM. This file is JSON formatted and contains tokens that need to be signed to prove you have a private key.

    $ cat unsigned-tokens.json { "version": "2.0", "tokens": [ { "unsigned": "Vtf/9QOFY45v/E1osvpEMr59JsnP/hLDm4ItOO2vqL8=", "signed": "" }, { "unsigned": "wVbC0/5IKwjyZK2NBpdFLyI7BiayZ24YcdUdlcxLwZ4=", "signed": "" }, { "unsigned": "z6aW9RzErJBL5KqFG5h8lhTVt9oLbxppjod0Ebysydw=", "signed": "" } ] }
  4. Sign the unsigned tokens with the private key created in step 2. First you have to extract and decode the base64 encoded tokens.

    $ echo "Vtf/9QOFY45v/E1osvpEMr59JsnP/hLDm4ItOO2vqL8=" > token1.b64 $ echo "wVbC0/5IKwjyZK2NBpdFLyI7BiayZ24YcdUdlcxLwZ4=" > token2.b64 $ echo "z6aW9RzErJBL5KqFG5h8lhTVt9oLbxppjod0Ebysydw=" > token3.b64 $ base64 -d token1.b64 > token1.bin $ base64 -d token2.b64 > token2.bin $ base64 -d token3.b64 > token3.bin
  5. You now have binary tokens. Sign them using the RSA private key you previously created in step 1 of MFA setup.

    $ openssl pkeyutl -sign \ -inkey officer1.key \ -pkeyopt digest:sha256 \ -keyform PEM \ -in token1.bin \ -out token1.sig.bin $ openssl pkeyutl -sign \ -inkey officer1.key \ -pkeyopt digest:sha256 \ -keyform PEM \ -in token2.bin \ -out token2.sig.bin $ openssl pkeyutl -sign \ -inkey officer1.key \ -pkeyopt digest:sha256 \ -keyform PEM \ -in token3.bin \ -out token3.sig.bin
  6. You now have binary signatures of the tokens. Encode them using base64, and place them back in your token file.

    $ base64 -w0 token1.sig.bin > token1.sig.b64 $ base64 -w0 token2.sig.bin > token2.sig.b64 $ base64 -w0 token3.sig.bin > token3.sig.b64
  7. Finally, copy and paste the base64 values back into your token file:

    { "version": "2.0", "tokens": [ { "unsigned": "1jqwxb9bJOUUQLiNb7mxXS1uBJsEXh0B9nj05BqnPsE=", "signed": "eiw3fZeCKIY50C4zPeg9Rt90M1Qlq3WlJh6Yw7xXm4nF6e9ETLE39+9M+rUqDWMRZjaBfaMbg5d9yDkz5p13U7ch2tlF9LoYabsWutkT014KRq/rcYMvFsU9n/Ey/TK0PVaxLN42X+pebV4juwMhN4mK4CzdFAJgM+UGBOj4yB9recpOBB9K8QFSpJZALSEdDgUc/mS1eDq3rU0int6+4NKuLQjpR+LSEIWRZ6g6+MND2vXGskxHjadCQ09L7Tz8VcWjKDbxJcBiGKvkqyozl9zrGo8fA3WHBmwiAgS61Merx77ZGY4PFR37+j/YMSC14prCN15DtMRv2xA1SGSb4w==" }, { "unsigned": "LMMFc34ASPnvNPFzBbMbr9FProS/Zu2P8zF/xzk5hVQ=", "signed": "HBImKnHmw+6R2TpFEpfiAg4+hu2pFNwn43ClhKPkn2higbEhUD0JVi+4MerSyvU/NN79iWVxDvJ9Ito+jpiRQjTfTGEoIteyuAr1v/Bzh+HjmrO53OQpZaJ/VXGIgApD0myuu/ZGNKQTCSkkL7+V81FG7yR1Nm22jUeGa735zvm/E+cenvZdy0VVx6A7WeWrl3JEKKBweHbi+7BwbaW+PTdCuIRd4Ug76Sy+cFhsvcG1k7cMwDh8MgXzIZ2m1f/hdy2j8qAxORTLlmwyUOYvPYOvUhc+s83hx36QpGwGcD7RA0bPT5OrTx7PHd0N1CL+Wwy91We8yIOFBS6nxo1R7w==" }, { "unsigned": "dzeHbwhiVXQqcUGj563z51/7sLUdxjL93SbOUyZRjH8=", "signed": "VgQPvrTsvGljVBFxHnswduq16x8ZrnxfcYVYGf/N7gEzI4At3GDs2EVZWTRdvS0uGHdkFYp1apHgJZ7PDVmGcTkIXVD2lFYppcgNlSzkYlftr5EOjqS9ZjYEqgGuB4g//MxaBaRbJai/6BlcE92NIdBusTtreIm3yTpjIXNAVoeRSnkfuw7wZcL96QoklNb1WUuSHw+psUyeIVtIwFMHEfFoRC0t+VhmnlnFnkjGPb9W3Aprw2dRRvFM3R2ZTDvMCiOYDzUCd43GftGq2LfxH3qSD51oFHglHQVOY0jyVzzlAvub5HQdtOQdErIeO0/9dGx5yot07o3xaGl5yQRhwA==" } ] }
  8. Now that your token file has all the required signatures, you can proceed. Enter the name of the file containing the signed tokens and press the enter key. You should now log in successfully.

    aws-cloudhsm > login --username <USERNAME> --role <ROLE> mfa-token-sign --token unsigned-tokens.json Enter password: Enter signed token file path (press enter if same as the unsigned token file): { "error_code": 0, "data": { "username": "<USERNAME>", "role": "<ROLE>" } }