YubiKey Policy Appears to Block AWS CLI

Question

What is the correct policy to enable me to use a YubiKey as an MFA device for logging into the AWS console but also use the IAM user's security credentials for AWS CLI?

I picked up a Yubico Security Key last October primarily to provide MFA for accounts that I am constantly logging into such as AWS, GitHub, Cloudflare, and Google.   Yubico provided instructions for AWS setup at [https://resources.yubico.com/53ZDUYE6/as/2trqjptbcrgshncr2w2hrn/AWS_setup_instructions_for_Yubico_YubiKeys](https://resources.yubico.com/53ZDUYE6/as/2trqjptbcrgshncr2w2hrn/AWS_setup_instructions_for_Yubico_YubiKeys) but the policy is incomplete and cannot be copied.  I found what appeared to be the same policy at [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_fido.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_fido.html) and successfully implemented it.

My IAM user is in the **admins** group and from the AWS Console I have the privileges I need.  I recently needed to use the AWS CLI (v2) to sync bucket options.  I set up the security credentials and added them via **aws configure**, but all **aws s3** commands failed with "Access Denied".  I tried all the various tips to resolve the problem including adding the ListBucket action and adding the **admins** policies directly to my permissions without solving the problem.

I then noticed that other AWS CLI commands were failing with "an explicit deny in an identity-based policy".  I found no "Deny" actions in any of my operational policies but did not check the YubiKey policy since it only seemed relevant to the AWS console.  I finally tracked down the problem by creating a new IAM user and not applying the YubiKey policy - all the AWS CLI commands worked with its security credentials.

I just found [https://repost.aws/questions/QUhxpCEKpVTJ6jSrK8EGB6BA/can-i-enforce-mfa-for-console-sign-in-but-not-for-access-key-cli-sign-in](https://repost.aws/questions/QUhxpCEKpVTJ6jSrK8EGB6BA/can-i-enforce-mfa-for-console-sign-in-but-not-for-access-key-cli-sign-in) which points to an even more complicated policy (results the same Access Denied errors) but is silent on how to bypass this policy when using AWS CLI.

Answer

If you are enforcing MFA via a policy then to use CLI, you have to obtain temporary credentials which in turn provides each time a new access key, secret and one session token.

You can follow this article which may help https://repost.aws/knowledge-center/authenticate-mfa-cli

Answer

In the process of posting this question, AWS provided a string of possible solutions, including [https://repost.aws/knowledge-center/mfa-iam-user-aws-cli](https://repost.aws/knowledge-center/mfa-iam-user-aws-cli) which refers to [https://repost.aws/knowledge-center/authenticate-mfa-cli](https://repost.aws/knowledge-center/authenticate-mfa-cli).

I posted the question anyway since previous searches on security keys and MFA did not reveal these solutions.  It is also not clear whether temporary credentials work with physical security keys.  I tried the **aws sts get-session-token --serial-number** with the arn of my YubiKey but the command requires a one-time passcode which the YubiKey does not provide.

It would help if the AWS documentation on setting up MFA devices clearly mentioned the AWS CLI implications.  As a workaround, I am using the security credentials of the new IAM user I mentioned above - that user does not have AWS console access.

Answer

**I just double checked**

Support for security keys is available only with the AWS Management Console.

As a workaround, you can use a virtual MFA device.

YubiKey Policy Appears to Block AWS CLI

Relevant content