Update: You Can Access AWS Console With A Yubikey Without Hacks


        
                January 31, 2023
                
            
            Update: You Can Access AWS Console With A Yubikey Without Hacks
            

            In an earlier email I said that AWS's support for Yubikeys is a bit clunky and specifically that AWS Console (The Web UI (yet another instance of AWS's inconsistent naming schemes!)) needs a little hack for Yubikeys, but that is untrue nowadays. Thanks Artem for pointing this out! I had used the native way myself also, but somehow that knowledge failed to be absorbed into the newsletter. 
So, you can add a hardware MFA token for the AWS Console now and log in into the web console with your Yubikey or similar device. You can also add multiple MFA keys nowadays, which is still required for the AWS CLI access. I use aws-vault on top of awscli, which also doesn't have a native support for the hardware MFAs.
The aws-vault documentation goes into more detail, but the gist of it is that you add a Virtual MFA in the AWS Console and then use ykman command line tool to generate those TOTP tokens. It isn't too bad, because basically you just run it like this:
aws-vault --prompt ykman exec profile -- aws s3 ls
That's all for today, folks!
            
            
                Don't miss what's next. Subscribe to The Regular Virtanen, A Software Industry Thought Follower: