- 最新
- 最多得票
- 最多評論
Hi André.
To make sure that we're looking at the right service: Is it correct that you try to register an MFA device for the root user of your organization's management account, i.e. in IAM (not IAM Identity Center)?
You should have a CloudTrail event logged for this action, can you please paste it here (redacting potential sensitive content such as account numbers)? In many cases, these events more information than the error you see in the console. The event should be EnableMFADevice
and/or ResyncMFADevice
for hardware MFA devices.
Thank you for taking the time to answer! Yes, it is the root user of the management account. I have checked CloudTrail and it shows the "AccessDenied":
{ "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "...", "arn": "arn:aws:iam::...:root", "accountId": "...", "accessKeyId": "...", "userName": "...", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-11-30T09:02:38Z", "mfaAuthenticated": "true" } } }, "eventTime": "2023-11-30T09:23:56Z", "eventSource": "iam.amazonaws.com", "eventName": "EnableMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "217.110.100.231", "userAgent": "AWS Internal", "errorCode": "AccessDenied", "requestParameters": null, "responseElements": null, "requestID": "d817aa38-ee6e-4166-81a0-bd73a42f8085", "eventID": "9c48f7ee-cf20-4dac-b421-fefcd6919802", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "...", "eventCategory": "Management", "sessionCredentialFromConsole": "true" }
OK that's indeed tricky. I was thinking of an SCP issue (see also this guidance), but they don't apply to the root user in the management account. Do I correctly assume that you don't have the maximum number of MFA devices registered already? Did you try to register a virtual MFA device, just to see if this works?
It might be that you'll need to create a support request for this issue, looks like it could be something specific to your account.
I have a single virtual MFA device on my account that I have been using for years now (TOTP through Google Authenticator). I don't have SCPs enabled. Looks like I have to upgrade our plan to actually be able to ask such a question to AWS support :-/ Thank you!
Since this is an account-related topic, you are able to open a case also without upgrading your plan. See here:
Basic Support offers support for account and billing questions and service quota increases. The other plans offer a number of technical support cases with pay-by-the-month pricing and no long-term contracts.
I hope this helps resolving the issue!
Now it seems that Titan Security Key v2 is available for USB connection...
https://qiita.com/moritalous/items/3d2d5a7bf6805ae32802
(↑This article is written in Japanese.)
I have no idea why it wasn't available before...
へーすごい…AWS lets us do trial and error it seems …
same problem here, I have both titan key versions, my first mfa device is V1 no problems there, i register it normally, but i just get a new v2 as backup key and I have the same error message with my root user, even I tried delete the v1 and try both again, same problem: V1 works fine, v2 always shows an error message
But... I have a IAM user too and through IAM Identity Center I can register my TK V2 to my IAM user no problems there, maybe there is any restriction on root users to use TK V2?
Same problem and even tried different browsers(Chrome, Safari and Firefox). From Chrome console errors I see that "PublicKeyCredentialCreationOptions.pubKeyCredParams" is not specifed when WebAuthn is used. From Google Chrome's help page https://chromium.googlesource.com/chromium/src/+/main/content/browser/webauth/pub_key_cred_params.md
This means Google Chrome defaults to ES256 (-7) and RS256 (-257) and AWS backend is not expecting this values, hence spitting http 400 errors.
Same problem here. In my case, I have already MFA configured with VirtualApp Google Authenticator, but when I try to register the Google Titan USB key it fails with the same error.
Same problem here. I can register it on mobile (android) but when I try to use it on any browser on windows, it still fails.
Same for me. When I register my Google Titan K52T on my android phone via NFC, it works. On AWS it is listed as U2F. When I try on the computer by plugging it in, I receive the error message "Error Registering Key".
相關內容
- 已提問 2 年前
- 已提問 15 天前
- AWS 官方已更新 3 年前
- AWS 官方已更新 2 個月前
The key must be registered as a MFA with microsoft or other browser company dependant upon your browser. In my case, this means I registered my key as MFA method in Microsoft as my browser during my console session was Microsoft edge. I do not know the inner workings of each case but maybe the public key and nonce are not shared from the titan key unless they come from the browser? Maybe this is not your answer but triggers a solution path for others? Best of Luck!