amazon web services – How to use MFA with AWS CLI?

amazon web services – How to use MFA with AWS CLI?

The CLI can manage a lot of this for you if youre using roles. Described here:

In my credentials file I have:

aws_access_key_id = AKIABLAHBLAHBLAHBLAH
aws_secret_access_key = <blah>
region = us-east-1

role_arn = arn:aws:iam::123456789123:role/my_admin_role
source_profile = my_iam_user
mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user
region = us-east-1

Note the mfa_serial entry. You can get this value from your user details in the AWS IAM console. This entry tells the CLI that MFA is required for that role.

When I call aws s3 ls --profile my_admin_role it says Enter MFA code:, after I paste in the code it returns the listing.

Note: I havent found a way to get the CLI to ask for MFA when calling a user profile (--profile my_iam_user) only calling a role profile triggers the MFA request.

The MFA token is then carried forward and the user profile can be used as well:

aws sts get-caller-identity --profile my_iam_user
 # {
 # Account: 123456789123,
 # Arn: arn:aws:iam::123456789123:user/my_iam_user
 # }

aws sts get-caller-identity --profile my_admin_role
 # {
 # Account: 123456789123,
 # UserId: AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890,
 # Arn: arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890
 # }

Call aws sts get-session-token --serial-number <serial> --token-code <code> documented here. This will give you a temporary security token. Documentation on using the temporary security token can be found here.

amazon web services – How to use MFA with AWS CLI?

Step-by-step manual solution:

  1. Request a session token with MFA
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

arn-of-the-mfa-device: visible from your user IAM

  • Option: Use CLI to retrieve: aws iam list-mfa-devices --user-name ryan
  • Option: View in IAM console: IAM –> Users –> –> Security Credentials

code-from-token: 6 digit code from your configured MFA device

  1. Create a profile with the returned credentials
aws configure --profile cli

aws configure set --profile cli aws_session_token <SESSION_TOKEN_HERE>

aws_session_token is not included in aws configure

  1. Test command
aws s3 ls --profile cli

Leave a Reply

Your email address will not be published.