![]() The developer now has access to the larger permissions set through the assumed role for the next hour. Then choose Create role.Īws -profile johndoe-developer-role ec2 describe-instances Sign in to the AWS IAM console, and in the right-hand pane, choose Roles.Create a role with elevated permissions that your developers can assume.To configure the IAM user and initialize the YubiKey device as MFA In this example, your developers will assume a role with permissions to access Amazon Elastic Compute Cloud (Amazon EC2). The following steps show you, as cloud administrator, how to initialize the YubiKey as a virtual MFA device and configure an IAM user that can assume a role with elevated permissions, on the condition that the user is using an MFA device. Getting started Initializing YubiKey for MFA ![]() For this solution, we use the TOTP standard. OATH (Initiative for Open Authentication) is an organization that specifies two open authentication standards: TOTP and HMAC-based One-time Password (HOTP).As a workaround, we use a YubiKey as a virtual device MFA. AWS CLI v2 doesn’t yet support Universal 2nd factor (U2F) MFA.If you already have a corporate YubiKey device, this capability might have been disabled. Note: The Yubico Security Keys (the blue tokens) aren’t supported, because they lack the OATH application. YubiKey 4 and 5 series are compatible, because they support the required OATH application. Assume the more privileged role, which is restricted by an MFA conditional, by using the TOTP token code.įigure 1: A visual overview of the steps to assume roles with elevated permissions by using a YubiKey for MFA Prerequisites. ![]() The user will retrieve a Time-based One-time Password (TOTP) token code by using a YubiKey as MFA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |