1
00:00:00,580 --> 00:00:02,510
‫So one question that can come up at the exam is

2
00:00:02,510 --> 00:00:05,210
‫How to use Multi-Factor Authentication

3
00:00:05,210 --> 00:00:07,640
‫with the CLI or with the SDK.

4
00:00:07,640 --> 00:00:09,230
‫So if you want to use it with the CLI

5
00:00:09,230 --> 00:00:11,890
‫you must create a temporary session

6
00:00:11,890 --> 00:00:14,227
‫and to so the API you have to use is

7
00:00:14,227 --> 00:00:18,000
‫STS GetSession Token.

8
00:00:18,000 --> 00:00:19,080
‫So you have to remember it.

9
00:00:19,080 --> 00:00:22,290
‫GetSession Token is the API you want to call

10
00:00:22,290 --> 00:00:23,210
‫to get credentials

11
00:00:23,210 --> 00:00:26,010
‫with a Multi-Factor Authentication device.

12
00:00:26,010 --> 00:00:28,230
‫So we'll do the CLI in a second,

13
00:00:28,230 --> 00:00:30,610
‫which is STS GetSession Token

14
00:00:30,610 --> 00:00:33,570
‫and then we pass the serial number of our our mfa device.

15
00:00:33,570 --> 00:00:35,240
‫The token code from our mfa device

16
00:00:35,240 --> 00:00:37,570
‫and our duration we want for a credentials.

17
00:00:37,570 --> 00:00:39,860
‫This gives us back a result which presents

18
00:00:39,860 --> 00:00:41,430
‫a new Access Key id,

19
00:00:41,430 --> 00:00:42,340
‫Secret Access Key,

20
00:00:42,340 --> 00:00:46,930
‫Session Token that we can all use in API calls to AWS.

21
00:00:46,930 --> 00:00:48,130
‫So let's have a look at the hands-on,

22
00:00:48,130 --> 00:00:49,960
‫it's going to be a lot clearer.

23
00:00:49,960 --> 00:00:52,490
‫So first things first let's go to IAM,

24
00:00:52,490 --> 00:00:54,960
‫and by the way this is a pretty involved hands-on with mfa,

25
00:00:54,960 --> 00:00:56,590
‫you don't have to do it if you don't want to.

26
00:00:56,590 --> 00:00:59,680
‫This is just to demonstrate the API call which is

27
00:00:59,680 --> 00:01:02,560
‫STS GetSession Token.

28
00:01:02,560 --> 00:01:03,890
‫So I'm going to go to my user,

29
00:01:03,890 --> 00:01:07,470
‫find Stephane and then under security credentials

30
00:01:07,470 --> 00:01:09,740
‫I need to assign an mfa device.

31
00:01:09,740 --> 00:01:12,690
‫So I'm going to manage this and I'm going to assign

32
00:01:12,690 --> 00:01:14,840
‫a virtual mfa device,

33
00:01:14,840 --> 00:01:16,250
‫click on continue,

34
00:01:16,250 --> 00:01:20,290
‫and I'm using Authy so I'm going to use Authy application

35
00:01:20,290 --> 00:01:21,940
‫to scan this QR code.

36
00:01:21,940 --> 00:01:25,140
‫So I'm going to show the QR code right now,

37
00:01:25,140 --> 00:01:27,260
‫and then I'm going to add the account,

38
00:01:27,260 --> 00:01:30,310
‫scan it and then I'm going to scan my account.

39
00:01:30,310 --> 00:01:31,760
‫Perfect, this is done.

40
00:01:31,760 --> 00:01:36,390
‫Then I enter again my two mfa codes I am getting from this,

41
00:01:36,390 --> 00:01:39,423
‫so the first one is 902495.

42
00:01:42,000 --> 00:01:44,303
‫The second code I am getting is 865515

43
00:01:47,560 --> 00:01:49,660
‫and then I click on Assign MFA

44
00:01:49,660 --> 00:01:52,480
‫and my device has successfully been registered.

45
00:01:52,480 --> 00:01:56,910
‫So what's important here is to get this Assign MFA device.

46
00:01:56,910 --> 00:02:00,030
‫This arn right here represents what I need to do

47
00:02:00,030 --> 00:02:01,380
‫for the next command.

48
00:02:01,380 --> 00:02:04,440
‫So next I'm going to go into my console,

49
00:02:04,440 --> 00:02:06,535
‫my CLI and I'm going to type

50
00:02:06,535 --> 00:02:10,850
‫aws sts get-session-token

51
00:02:11,800 --> 00:02:14,130
‫and then I need to look at the help

52
00:02:14,130 --> 00:02:16,390
‫because I forgot what's the name of the argument,

53
00:02:16,390 --> 00:02:19,840
‫so it is serial number and token code.

54
00:02:19,840 --> 00:02:23,890
‫So --serial-number

55
00:02:23,890 --> 00:02:27,398
‫and then I paste what I got just from the console

56
00:02:27,398 --> 00:02:31,170
‫-token-code and here I enter the code I get

57
00:02:31,170 --> 00:02:36,170
‫directly from my authenticator or authy app and press enter,

58
00:02:36,280 --> 00:02:39,370
‫and what I get out of it is credentials.

59
00:02:39,370 --> 00:02:41,270
‫Now these credentials are temporary

60
00:02:41,270 --> 00:02:44,490
‫and they're obtained through multi-factor authentication.

61
00:02:44,490 --> 00:02:46,439
‫So I have an AccessKeyId,

62
00:02:46,439 --> 00:02:48,180
‫a SecretAccessKey,

63
00:02:48,180 --> 00:02:51,440
‫a Session Token which is right here all of this,

64
00:02:51,440 --> 00:02:55,410
‫and an Expiration date which is one hour from now.

65
00:02:55,410 --> 00:02:57,110
‫So as we can see this is temporary credentials

66
00:02:57,110 --> 00:02:58,490
‫so I don't mind showing it to you

67
00:02:58,490 --> 00:03:00,820
‫because it's not going to be valid at some point.

68
00:03:00,820 --> 00:03:02,350
‫Okay so now I want to show you how

69
00:03:02,350 --> 00:03:03,880
‫we can use these credentials,

70
00:03:03,880 --> 00:03:06,360
‫so I just regenerated some for this hands-on,

71
00:03:06,360 --> 00:03:07,710
‫so I'm going to copy those

72
00:03:07,710 --> 00:03:10,290
‫into a text file on my other screen.

73
00:03:10,290 --> 00:03:11,330
‫Here we go.

74
00:03:11,330 --> 00:03:13,180
‫And now I'm going to use these credentials.

75
00:03:13,180 --> 00:03:15,556
‫So what I can do is do

76
00:03:15,556 --> 00:03:20,556
‫aws configure --profile mfa.

77
00:03:20,700 --> 00:03:22,800
‫So I'm going to configure a new profile

78
00:03:22,800 --> 00:03:25,390
‫named mfa which corresponds to these credentials

79
00:03:25,390 --> 00:03:26,590
‫I just obtained.

80
00:03:26,590 --> 00:03:30,720
‫So, my AWS Access Key ID is the one I just got

81
00:03:30,720 --> 00:03:34,210
‫from the output so I'm going to paste it here.

82
00:03:34,210 --> 00:03:36,250
‫Then my Secret Access Key,

83
00:03:36,250 --> 00:03:39,910
‫one more time I need to copy it from what I got.

84
00:03:39,910 --> 00:03:43,780
‫Excellent and my Default region name is fine,

85
00:03:43,780 --> 00:03:45,088
‫output format is fine.

86
00:03:45,088 --> 00:03:48,110
‫And next what I have to do is open the file at

87
00:03:48,110 --> 00:03:51,820
‫aws/credentials and so you need to open it using

88
00:03:51,820 --> 00:03:53,410
‫your favorite tool.

89
00:03:53,410 --> 00:03:56,187
‫So for example for me I'm going to us VS code for this

90
00:03:56,187 --> 00:04:00,810
‫and so I opened my file and I need to add the session token.

91
00:04:00,810 --> 00:04:04,067
‫For this I type aws_session_token

92
00:04:04,067 --> 00:04:08,860
‫= and then I copy the entire token that I got from before,

93
00:04:08,860 --> 00:04:11,230
‫so this could be a very, very long token

94
00:04:11,230 --> 00:04:13,070
‫and then I click on save.

95
00:04:13,070 --> 00:04:15,840
‫And now this means that anytime I do an API call

96
00:04:15,840 --> 00:04:17,770
‫using this profile,

97
00:04:17,770 --> 00:04:20,400
‫it's going to use my temporary credentials.

98
00:04:20,400 --> 00:04:22,510
‫So if I go back here and do now

99
00:04:22,510 --> 00:04:25,960
‫aws s3 ls

100
00:04:25,960 --> 00:04:30,120
‫and I do --profile mfa

101
00:04:30,120 --> 00:04:32,450
‫then this is going to issue an API call against

102
00:04:32,450 --> 00:04:35,470
‫Amazon s3 using my profile mfa

103
00:04:35,470 --> 00:04:37,620
‫and you can see a lot of extra buckets

104
00:04:37,620 --> 00:04:39,490
‫because I'm re-recording this lecture right now

105
00:04:39,490 --> 00:04:40,700
‫so you see a lot more extra buckets

106
00:04:40,700 --> 00:04:43,080
‫than what you have right now but don't worry about it.

107
00:04:43,080 --> 00:04:45,100
‫So this is pretty cool because now I've been using

108
00:04:45,100 --> 00:04:49,310
‫the mfa device and I used a session token in here,

109
00:04:49,310 --> 00:04:51,590
‫so this has been temporary credentials

110
00:04:51,590 --> 00:04:53,380
‫and so that's it for this lecture.

111
00:04:53,380 --> 00:04:55,280
‫So it's okay if you couldn't follow it along with me,

112
00:04:55,280 --> 00:04:56,530
‫it's pretty complicated,

113
00:04:56,530 --> 00:04:58,400
‫but the one thing you have to remember is that

114
00:04:58,400 --> 00:05:02,340
‫the API we use to generate these temporary session tokens

115
00:05:02,340 --> 00:05:05,270
‫is called STS GetSession Token

116
00:05:05,270 --> 00:05:07,330
‫and that gave us an Access Key,

117
00:05:07,330 --> 00:05:10,410
‫a Secret Key and a Session Token that was temporary.

118
00:05:10,410 --> 00:05:12,210
‫And that's it and I hope that was helpful

119
00:05:12,210 --> 00:05:14,160
‫and I will see you in the next lecture.