Awsume 4+ only.
This is a plugin that automates the entry of MFA tokens using 1Password.
It replaces AWSume's MFA Token: prompt with a biometric unlock and delegates to 1Password for policies on how often unlock is required.
In other words: it saves you from ever having to type an MFA token, ever again!
If you experience any problems, please file a bug report.
pip3 install awsume-1password-plugin
If you've installed awsume with pipx, this will install the console plugin in awsume's virtual environment:
pipx inject awsume awsume-1password-plugin
- Install the 1Password CLI
- Enable biometric unlock of the CLI in 1Password settings
This plugin needs to know which 1Password vault item to use for each MFA token. You can specify this information in your AWSume configuration file.
# ~/.awsume/config.yaml
colors: true
1password: AWS (12345, tony)In this example, I have only one MFA token shared among all my accounts (which belong to the same organization).
I have a corresponding 1Password vault item that looks like this:
# ~/.awsume/config.yaml
colors: true
fuzzy-match: false
1password:
"arn:aws:iam::12345:mfa/tony": "AWS for Tony Inc."
"arn:aws:iam::67890:mfa/xeger": "AWS for Xeger Enterprises"In this example I have access to two unrelated accounts, so there are two MFA tokens and two 1Password vault items; the config subsection becomes a map of token serials to vault item names.
This plugin works automatically in the background; just awsume roles as you normally would, and it will invoke the op command to obtain TOTP tokens whenever AWSume requires one.
If you experience any trouble, invoke awsume with the --debug flag and look for log entries that contain 1password.
The specific command that this plugin invokes is op item get --otp "Profile Name Here"; make sure it succeeds when you invoke it manually.
If you can't solve your problem, create a GitHub issue with diagnostic details and we'll try to help you.