By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I use the AWS CLI to authenticate access to AWS resources with an MFA token?

4 minute read
2

I want to use a multi-factor authentication (MFA) token with the AWS Command Line Interface (AWS CLI) to authenticate access to my AWS resources.

Short description

You can activate up to eight MFA devices for each AWS Identity and Access Management (IAM) user.

Note: MFA activation for the root user affects only the root user credentials. Each IAM identity in your AWS account has its own MFA configuration.

To activate MFA, see Secure your root user sign-in with MFA and MFA in IAM.

Resolution

To use the AWS CLI to authenticate to AWS resources, use the API action GetSessionToken to get temporary credentials.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

MFA device ARN

To get the MFA device's ARN, complete these steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Users, and then choose your IAM user.
  3. On the Summary page, choose the Security credentials tab.
  4. In Assigned MFA device, copy the MFA device's ARN.

Use the AWS CLI to get temporary credentials

Run the get-session-token command:

aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

Example output:

{
    "Credentials": {
        "SecretAccessKey": "secret-access-key",
        "SessionToken": "temporary-session-token",
        "Expiration": "expiration-date-time",
        "AccessKeyId": "access-key-id"
    }
}

Important: Make sure that the MFA device's serial number, token, and ARN are correct, or you might receive an error message that's similar to the following:

"An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user."

To authenticate your MFA hardware device, the serial number is usually on the back of the device and the value is similar to GAHT12345678. To authenticate your MFA virtual device, the value is similar to arn:aws:iam::123456789012:mfa/user.

Note: The AWS CLI supports MFA authentication only with a virtual or hardware MFA device. The AWS CLI doesn't support MFA authentication with the FIDO security key.

For more information, see Assign MFA devices in the AWS CLI or AWS API.

Use temporary credentials to export their values to environment variables

Run the following commands for your operating system (OS):

Linux

export AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output
export AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output
export AWS_SESSION_TOKEN=example-session-token-as-in-previous-output

Windows

set AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output
set AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output
set AWS_SESSION_TOKEN=example-session-Token-as-in-previous-output

Before you run the get-session-token command again, run the following commands to unset the environment variables:

Linux

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN

Windows

set AWS_ACCESS_KEY_ID=
set AWS_SECRET_ACCESS_KEY=
set AWS_SESSION_TOKEN=

Use temporary credentials with named profiles

You can also use named profiles to specify the commands that require MFA authentication. In the credentials file that's in the .aws folder of the user's home directory, add a new profile configuration to issue MFA-authenticated commands.

Example profile configuration:

[mfa]aws_access_key_id = example-access-key-as-in-returned-output
aws_secret_access_key = example-secret-access-key-as-in-returned-output
aws_session_token = example-session-token-as-in-returned-output

After the credentials expire, run the get-session-token command again, and then export the returned values to the environment variables or the profile configuration.

It's a best practice to run a script or a cron job in the background that checks for the expiration from the get-session-token command's output. If the MFA token is expired, then make sure that the script or cron job prompts for reauthentication.

When you use named profiles to authenticate, specify the —profile option followed by the profile name to verify that the API calls use MFA to authenticate.

Related information

How do I reset a lost or broken MFA device for my IAM user or AWS account root user?

How do I enforce MFA authentication for IAM users that use the AWS Management Console and the AWS CLI?

5 Comments

To run "aws sts get-session-token" command, I need to provide the AWS profile. To provide the AWS profile I need to store the "aws_access_key_id" and "aws_secret_access_key" under the credential file on my local machine. Then what is the point of using temporary credential with MFA from the same machine where information for Access key is already stored!!. How does this makes it more secure?

I don't see an option to create Access Key with limited permission where only "sts get-session-token" is allowed, in which case I can use that Access Key on my machine to first get temporary credentials and then use those temporary creds to access other resources.

I found the answer to my confusion when looking at https://repost.aws/knowledge-center/mfa-iam-user-aws-cli

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied a year ago

Hi everyone,

I recently created a script to help automate the AWS CLI MFA authentication process. If you're looking for an easier way to handle MFA, you might find this useful. Check it out on my GitHub: https://github.com/toshitanaa/aws-cli-mfa-auth

I hope it helps make your AWS workflows a bit smoother. I'd love to hear any feedback or suggestions you might have!

Thanks, toshitanaa

replied 5 months ago

Why do i have to handle this manually? in my opinion this whole MFA process should be managed by cli.

1.) Issue a command with cli 2.) cli detects that MFA is enabled 3.) cli asks for OTP Code and manages temporary credentials 4.) command executed

The MFA device selection / configuration is part of "aws configure" command

replied 2 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 2 months ago