Skip to main content

2.4.5 Configuring Goku Access

Youtube ๐Ÿ“บ

In this section we'll configure Goku's Console as well as CLI access by changing the password and configuring MFA

warning

Please keep your MFA devices ready !

๐Ÿ”“ Identity Account Accessโ€‹

  • Open the identity account URL from the terraform output that was saved in notes.md file as shown below.

  • Login using the temporary credential for Goku.

๐Ÿ”‘ Change Passwordโ€‹

  • Once you access the console using the temporary password you'll be forced to change the password. Ensure you note it down or save it in a secure manner.

๐Ÿ›‚ Accessing the Consoleโ€‹

  • After password change when you log into the console, you'll be greeted with Access Denied errors because at present, the default permissions attached are that of the Self-Manage group which allows only password change and MFA configuration.

๐Ÿ“ฑ Configure MFAโ€‹

โš™๏ธ Configuring Console Access using MFAโ€‹

  • After configuring MFA, logout from the console and login using the identity url as performed earlier.
  • This time when you sign-in, AWS will ask for the MFA OTP. Please provide the same using the authenticator application.
  • Next, click on the right-corner showing goku-account-number and click Switch Role

  • Next in the switch role screen add the account ID and the IAM Role that Goku has access to. This information has been saved in notes.md file.

  • Ex: Accessing Prod account with Administrator Privileges

You should now have access to the Prod account AWS Console

๐Ÿ–ฅ๏ธ Configuring CLI Access using MFAโ€‹

  • Let's access the same Prod AWS Account from CLI using MFA
awsmfa -i goku arn:aws:iam::<prod-account-id>:role/AssumeRoleAdminWithMFAprod
prompt> Enter MFA Code
export AWS_PROFILE=default
aws sts get-caller-identity

About awsmfa utility

The awsmfa utility is an open-source utility to simplify MFA access using CLI

https://pypi.org/project/awsmfa/