- Le plus récent
- Le plus de votes
- La plupart des commentaires
If you are enforcing MFA via a policy then to use CLI, you have to obtain temporary credentials which in turn provides each time a new access key, secret and one session token.
You can follow this article which may help https://repost.aws/knowledge-center/authenticate-mfa-cli
In the process of posting this question, AWS provided a string of possible solutions, including https://repost.aws/knowledge-center/mfa-iam-user-aws-cli which refers to https://repost.aws/knowledge-center/authenticate-mfa-cli.
I posted the question anyway since previous searches on security keys and MFA did not reveal these solutions. It is also not clear whether temporary credentials work with physical security keys. I tried the aws sts get-session-token --serial-number with the arn of my YubiKey but the command requires a one-time passcode which the YubiKey does not provide.
It would help if the AWS documentation on setting up MFA devices clearly mentioned the AWS CLI implications. As a workaround, I am using the security credentials of the new IAM user I mentioned above - that user does not have AWS console access.
I just double checked
Support for security keys is available only with the AWS Management Console.
As a workaround, you can use a virtual MFA device.
Contenus pertinents
- demandé il y a un an
- demandé il y a 7 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 4 mois
Thanks for the fast response. How do I get the temporary credentials for a physical MFA device that does not return a code?
NP, I just double checked.. Support for security keys is available only with the AWS Management Console.
As a workaround, you can use a virtual MFA device.
Also, is it possible to only enforce MFA for AWS Console access, not AWS CLI?
You can enforce MFA for CLi with a IAM Policy attached to users either directly or via groups
https://repost.aws/knowledge-center/mfa-iam-user-aws-cli