aws-mfa prepares the environment for commands that interact with AWS. It uses AWS STS to get temporary credentials. This is necessary if you have MFA enabled on your account. The variables it sets are

• AWS_SECRET_ACCESS_KEY
• AWS_ACCESS_KEY_ID
• AWS_SESSION_TOKEN
• AWS_SECURITY_TOKEN

aws-mfa is available via Rubygems. To install it you can run gem install aws-mfa.

Before using aws-mfa, you must have the AWS CLI installed (through whatever method you choose) and configured (through aws configure).

The very first time you run aws-mfa it will fetch the ARN for your MFA device and ask you to confirm it. Next, it will prompt you for the 6-digit code from your MFA device. For the next 12 hours, aws-mfa will not prompt you for anything. After 12 hours, your temporary credentials expire, so aws-mfa will prompt you for the 6-digit code again.

There are two ways you can use aws-mfa:

The first is to use it to alter the environment of your current shell. To do this, run eval $(aws-mfa). Now any command that uses the standard AWS environment variables should work.

The second is to use it to alter the environment of a single invocation of a program. aws-mfa tries to execute its arguments. aws-mfa aws would run the aws cli, aws-mfa kitchen would run test-kitchen, and so on. You can safely setup an alias with alias aws=aws-mfa aws. With the alias, if you had set up autcompletion for aws it will still work.