Versions Compared

Old Version 1

changes.mady.by.user Paul Allen

Saved on

compared with

New Version Current

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

Access to some AWS resources require an AWS Security Token Service session where an MFA key has been used to generate the temporary security credentials for an IAM User. This page provides details on how to use MFA and STS together on the command line with AWS CLI (v1).

...

Generating Temporary Security Credentials

Example CLI

Code Block
languagebash
# Confirm that IAM user credentials are working
$ aws sts get-caller-identity
{
	"UserId": "AIDAXXXXXXXXXXXXXXXXX",
	"Account": "123456789012",
	"Arn": "arn:aws:iam::123456789012:user/pea1"
}

# Generate temporary credentials. The code from the MFA is "987654" at the time the command is executed
$ aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/pea1 --token-code 987654
{
	"Credentials": {
		"AccessKeyId": "ASIAYYYYYYYYYYYYYYYY",
		"SecretAccessKey": "ABC****************************************",
		"SessionToken": "DEF********************************************************************************",
		"Expiration": "2020-06-13T01:29:49Z"
	}
}
 
# Setup environment to use the new temporary credentials
$ export AWS_ACCESS_KEY_ID=ASIAYYYYYYYYYYYYYYYY
$ export AWS_SECRET_ACCESS_KEY=ABC****************************************
$ export AWS_SESSION_TOKEN=DEF********************************************************************************
 
# Unfortunately, you cannot tell that the new session is temporary or that MFA was involved.
$ aws sts get-caller-identity
{
	"UserId": "AIDAXXXXXXXXXXXXXXXXX",
	"Account": "123456789012",
	"Arn": "arn:aws:iam::123456789012:user/pea1"
}
$

See also https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/