Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use the AWS CLI to authenticate access to AWS resources with an MFA token?

4 minute read
3

I want to use a multi-factor authentication (MFA) token with the AWS Command Line Interface (AWS CLI) to authenticate access to my AWS resources.

Short description

You can activate up to eight MFA devices for each AWS Identity and Access Management (IAM) user.

Note: MFA activation for the root user affects only the root user credentials. Each IAM identity in your AWS account has its own MFA configuration.

To activate MFA, see Secure your root user sign-in with multi-factor authentication (MFA) and AWS multi-factor authentication in IAM.

Resolution

If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To use the AWS CLI to authenticate to AWS resources, use the API action GetSessionToken to get temporary credentials. Temporary credentials are valid for 12 hours by default. Use the duration-seconds parameter to configure the temporary credential duration for any time between 15 minutes and 36 hours.

Note: The user needs appropriate IAM permissions to use the GetSessionToken. For more information, see How do I enforce MFA authentication for IAM users that use the AWS Management Console and the AWS CLI?

MFA device ARN

To get the MFA device's Amazon Resource Name (ARN), complete these steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Users, and then select your IAM user.
  3. On the Summary page, choose the Security credentials tab.
  4. In Assigned MFA device, copy the MFA device's ARN.

Use the AWS CLI to get temporary credentials

Run the get-session-token command:

aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

Example output:

{    "Credentials": {  
        "SecretAccessKey": "secret-access-key",  
        "SessionToken": "temporary-session-token",  
        "Expiration": "expiration-date-time",  
        "AccessKeyId": "access-key-id"  
    }  
}

Important: Make sure that the MFA device's serial number, token, and ARN are correct. If they aren't, then you might receive an error message that's similar to the following:

"An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user."

To authenticate your MFA hardware device, the serial number is usually on the back of the device and is similar to GAHT12345678. To authenticate your MFA virtual device, the value is similar to arn:aws:iam::123456789012:mfa/user.

Note: The AWS CLI supports MFA authentication only with a virtual or hardware MFA device. The AWS CLI doesn't support MFA authentication with the FIDO security key.

For more information, see Assign MFA devices in the AWS CLI or AWS API.

Use temporary credentials to export their values to environment variables

Run the following commands for your operating system (OS):

Linux

export AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-outputexport AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output  
export AWS_SESSION_TOKEN=example-session-token-as-in-previous-output

Windows

set AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-outputset AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output  
set AWS_SESSION_TOKEN=example-session-Token-as-in-previous-output

Before you run the get-session-token command again, run the following commands to unset the environment variables:

Linux

unset AWS_ACCESS_KEY_IDunset AWS_SECRET_ACCESS_KEY  
unset AWS_SESSION_TOKEN

Windows

set AWS_ACCESS_KEY_ID=set AWS_SECRET_ACCESS_KEY=  
set AWS_SESSION_TOKEN=

Use temporary credentials with named profiles

You can also use named profiles to specify the commands that require MFA authentication. In the credentials file that's in the .aws folder of the user's home directory, add a new profile configuration to issue authenticated commands.
Example profile configuration:

[mfa]aws_access_key_id = example-access-key-as-in-returned-outputaws_secret_access_key = example-secret-access-key-as-in-returned-output  
aws_session_token = example-session-token-as-in-returned-output

After the credentials expire, run the get-session-token command again. Then, export the returned values to the environment variables or the profile configuration.

It's a best practice to run a script or a cron job in the background that checks for the expiration from the get-session-token command's output. If the MFA token is expired, then make sure that the script or cron job prompts for reauthentication.

When you use named profiles to authenticate, specify the profile option followed by the profile name. This verifies that the API calls use MFA to authenticate.

Related information

How do I reset a lost or broken MFA device for my IAM user or AWS account root user?

How do I enforce MFA authentication for IAM users that use the AWS Management Console and the AWS CLI?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English

Related videos

Watch Mardianto's video to learn more (5:55)
Watch Mardianto's video to learn more (5:55)
AWS OFFICIALUpdated 8 months ago
5 Comments

To run "aws sts get-session-token" command, I need to provide the AWS profile. To provide the AWS profile I need to store the "aws_access_key_id" and "aws_secret_access_key" under the credential file on my local machine. Then what is the point of using temporary credential with MFA from the same machine where information for Access key is already stored!!. How does this makes it more secure?

I don't see an option to create Access Key with limited permission where only "sts get-session-token" is allowed, in which case I can use that Access Key on my machine to first get temporary credentials and then use those temporary creds to access other resources.

I found the answer to my confusion when looking at https://repost.aws/knowledge-center/mfa-iam-user-aws-cli

replied 3 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied 3 years ago

Hi everyone,

I recently created a script to help automate the AWS CLI MFA authentication process. If you're looking for an easier way to handle MFA, you might find this useful. Check it out on my GitHub: https://github.com/toshitanaa/aws-cli-mfa-auth

I hope it helps make your AWS workflows a bit smoother. I'd love to hear any feedback or suggestions you might have!

Thanks, toshitanaa

replied 2 years ago

Why do i have to handle this manually? in my opinion this whole MFA process should be managed by cli.

1.) Issue a command with cli 2.) cli detects that MFA is enabled 3.) cli asks for OTP Code and manages temporary credentials 4.) command executed

The MFA device selection / configuration is part of "aws configure" command

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied a year ago

Relevant content