Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
AWS Shell plugin is not providing session token
Hello,
I tried to set up AWS shell plugin in a way that it'll provide me short lived tokens. I need these for our internal tools that use AWS SDK and is able to work with these temporary credentials, so 1Password doesn't see this to be something originating from `aws` cli. I'm trying to understand how can I use 1Password to only hand out temporary credentials so that the application doesn't have to deal with getting the tokens itself.
According to Shell plugin docs (https://developer.1password.com/docs/cli/shell-plugins/aws/#optional-set-up-multi-factor-authentication) there should be session token set up, but I don't see it. I don't understand how it should get there and when should it be available.
It's currently set up in this manner and aws plugin seems to be able to use MFA:
op % op item get xyz
ID: xyz
Title: AWS
Vault: Employee (abc)
Created: 2 years ago
Updated: 20 minutes ago by [me]
Favorite: false
Tags: XXX
Version: 42
Category: LOGIN
Fields:
username: [username]
password: [use 'op item get xyz --reveal' to reveal]
access key id: [access-key]
secret access key: [use 'op item get xyz --reveal' to reveal]
one-time password: 123456
mfa serial: arn:aws:iam::[rest]
Default region: [region]
Account ID: [account-id]
URLs:
website: https://us-east-1.console.aws.amazon.com/iam/...
2 Replies
- 1P_Phil
Moderator
Hi happosade ,
Thanks for writing in, I'd like to point you over to the SDKs. Now that they support local authentication, it may make more sense to update your scripts to work with the 1Password SDKs.
Learn more about local authentication with the 1Password SDKs : https://developer.1password.com/docs/sdks/desktop-app-integrations
Let me know if this works for your setup.
Regards,
Phil & Team.Hi 1P_Phil!
So just to clarify, as the documentation says:1Password CLI will then set the AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID and AWS_SESSION_TOKEN provisional environment variables to specify the temporary multi-factor authentication session values.
it's not really possible to get those, other than what have been put to 1Password? I'd still need to do the assumes and whatnots in my own code using AWS SDK, so the benefit from having just
`op run --env-file=/path/to/config/for/my/app -- /path/to/bin`
in shell alias isn't really there? I tried quickly to snoop around the documentation to see AWS specific things in documentation, but wasn't really able to find anything comparable to `aws ... --profile aws-target-profile` to get the specific short lived tokens for it?
Our tool is cli-based, and it understands the environment variables here, if that makes any difference.
