YubiKey Policy Appears to Block AWS CLI

0

What is the correct policy to enable me to use a YubiKey as an MFA device for logging into the AWS console but also use the IAM user's security credentials for AWS CLI?

I picked up a Yubico Security Key last October primarily to provide MFA for accounts that I am constantly logging into such as AWS, GitHub, Cloudflare, and Google. Yubico provided instructions for AWS setup at https://resources.yubico.com/53ZDUYE6/as/2trqjptbcrgshncr2w2hrn/AWS_setup_instructions_for_Yubico_YubiKeys but the policy is incomplete and cannot be copied. I found what appeared to be the same policy at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_fido.html and successfully implemented it.

My IAM user is in the admins group and from the AWS Console I have the privileges I need. I recently needed to use the AWS CLI (v2) to sync bucket options. I set up the security credentials and added them via aws configure, but all aws s3 commands failed with "Access Denied". I tried all the various tips to resolve the problem including adding the ListBucket action and adding the admins policies directly to my permissions without solving the problem.

I then noticed that other AWS CLI commands were failing with "an explicit deny in an identity-based policy". I found no "Deny" actions in any of my operational policies but did not check the YubiKey policy since it only seemed relevant to the AWS console. I finally tracked down the problem by creating a new IAM user and not applying the YubiKey policy - all the AWS CLI commands worked with its security credentials.

I just found https://repost.aws/questions/QUhxpCEKpVTJ6jSrK8EGB6BA/can-i-enforce-mfa-for-console-sign-in-but-not-for-access-key-cli-sign-in which points to an even more complicated policy (results the same Access Denied errors) but is silent on how to bypass this policy when using AWS CLI.

3 Answers
0

If you are enforcing MFA via a policy then to use CLI, you have to obtain temporary credentials which in turn provides each time a new access key, secret and one session token.

You can follow this article which may help https://repost.aws/knowledge-center/authenticate-mfa-cli

profile picture
EXPERT
answered 10 months ago
  • Thanks for the fast response. How do I get the temporary credentials for a physical MFA device that does not return a code?

  • NP, I just double checked.. Support for security keys is available only with the AWS Management Console.

    As a workaround, you can use a virtual MFA device.

  • Also, is it possible to only enforce MFA for AWS Console access, not AWS CLI?

  • You can enforce MFA for CLi with a IAM Policy attached to users either directly or via groups

0

In the process of posting this question, AWS provided a string of possible solutions, including https://repost.aws/knowledge-center/mfa-iam-user-aws-cli which refers to https://repost.aws/knowledge-center/authenticate-mfa-cli.

I posted the question anyway since previous searches on security keys and MFA did not reveal these solutions. It is also not clear whether temporary credentials work with physical security keys. I tried the aws sts get-session-token --serial-number with the arn of my YubiKey but the command requires a one-time passcode which the YubiKey does not provide.

It would help if the AWS documentation on setting up MFA devices clearly mentioned the AWS CLI implications. As a workaround, I am using the security credentials of the new IAM user I mentioned above - that user does not have AWS console access.

nh905g
answered 10 months ago
0

I just double checked

Support for security keys is available only with the AWS Management Console.

As a workaround, you can use a virtual MFA device.

profile picture
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions