Using a YubiKey for AWS MFA with aws-vault on WSL
So… you’re running aws-vault within Windows Subsystem for Linux (WSL) and you want to stop typing in MFA codes. Cool. Let’s use a YubiKey to enter the codes for you.
The only show stopper - WSL is unable to access the YubiKey which is plugged into the host OS, Windows.
There is a solution!
As we are able to call Windows binaries from within WSL, we can install the required software - YubiKey Manager - on Windows, and execute it from WSL.
I’m assuming you have the following components ready:
The Solution
First up, you will need to install YubiKey Manager in Windows. You can download the software from here. For ease of managing our TOTP accounts, Yubico Authenticator is helpful. You can get it from here.
- Onto the good stuff! Now that we have the YubiKey software installed, log in to AWS and go to Security Credentials.
- Scroll down the page to the Multi-factor authentication (MFA) section, and click Manage MFA Device, then Remove. If you don’t have MFA enabled already, the button will read Assign MFA Device.
- Click on Assign MFA Device and then select Virtual MFA device
- Click the hyperlink to Show Secret Key and copy it to your clipboard
- Go to Yubico Authenticator and Add Account
- Enter AWS as the Issuer, your MFA ARN as the Account Name (
arn:aws:iam::<account-id>:mfa/<user-name>
), and paste in the secret key. Ensure you tick the box for Require Touch - this will help keep things secure. - Double click on the new account in Yubico Authenticator, tap your YubiKey, and enter two consecutive MFA codes into the AWS console
- Within WSL, we need to create a symlink to the Windows binary of ykman. ykman is the command line interface to the YubiKey Manager. Create a symlink with the following command -
sudo ln -s /mnt/c/Program\ Files/Yubico/YubiKey\ Manager/ykman.exe /usr/bin/ykman
- Now we should be able to run a test command that should return a list of all accounts from Yubico Authenticator:
ykman oath accounts list
- Now we can tell aws-vault to prompt ykman for an MFA code. When calling aws-vault, simply include
--prompt ykman
in your command, and aws-vault will call ykman in the background. Tap your YubiKey when prompted.
Just like that, we have aws-vault automatically retrieving MFA codes from a YubiKey with only a touch required.