MFA Device Demo
This demo verifies the MFA code from my Gemalto device against Amazon.
Type the number on the MFA device:
If the MFA code is verified to be correct, then the API call returns an STS token. This token can then be used in subsequent calls.
| STS Token | |
|---|---|
| AccessKeyId | |
| SecretAccessKey | |
| SessionToken | |
If you have a valid STS token, then you can retrieve the list of AWS regions with a second API call.
| AWS Regions |
|---|
What's happening here
This demo demonstrates the use of MFA tokens. I have created a user, MFADemo, with very limited privileges (detailed later) and an Access Key/Secret Key combination. Using this AKSK combination, the user is allowed to make an STS API call to verify the MFA code and obtain an STS token. This STS token is then used in the second system call.
The second system call, the one to list the regions, is only allowed if the authentication of the session is done through an MFA device. This is encapsulated in the IAM policy that is associated with the user account:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1505657218000",
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions"
],
"Resource": [
"*"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
This is, by the way, the only policy that is associated with this user account. That's why, in this particular case, I'm not afraid of putting the AK/SK in the JavaScript code.
Review the source code for this page for further details.