A very short post only containing the juicy parts, let's get into it.👀
Problem
I recently had to interact with an AWS account that requires MFA for all users. This is okay in the console since it simply tells you that it needs the MFA code. The CLI is different however, because it only outputs a generic AccessDenied
error. If MFA is required on the account for all interaction (via SCPs for example), this is how you can still use the CLI with MFA credentials.
Solution
You have to request a seperate access & secret key and a session token from AWS via the CLI. You have to execute the following command with a pair of access keys that have access to that account normally. This can be executed without any MFA restrictions (it would be pretty funny to require MFA to ask for MFA credentials haha).
aws sts get-session-token \
--serial-number arn:aws:iam::{AWS::AccountId}:mfa/{User} \
--profile user@yourAccount \
--token-code mfa-code-from-device
Let's break that down:
aws sts get-session-token
is self-explanatory. This is the command to request the pair of access keys and a session token with MFA "embedded".--serial-number arn:aws:iam::{AWS::AccountId}:mfa/{User}
refers to the ARN of the MFA device in your user account. You can find this in the IAM console under your user. Make sure to replace{AWS::AccountId}
with your actual account ID, eg.4567325783
.--profile user@yourAccount
refers to your local setup. I don't have adefault
CLI profile and I force myself to use theprofile
flag for every command. You might not have this, just make sure you are executing this command with a pair of access keys that belong to the AWS account you want to have MFA credentials for.--token-code mfa-code-from-device
is the MFA code from your device. Replace themfa-code-from-device
with the current code (eg. 452455).
Output
This will output an Access Key, a Secret Key and a Session Token. You have to save all these into a profile in your ~/.aws/credentials
file. You can name this profile anything, I tend to name it mfa
.
[mfa]
aws_access_key_id = example
aws_secret_access_key = example
aws_session_token = example
Usage
You can use this profile just like every other, with the --profile mfa
flag. Note that these credentials are only live for 12 hours from creation, so you'll likely have to do this every day. I haven't found a better soluion as of yet, but if you do have something then please let me know😈
Photo by chris panas on Unsplash