Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

aws sts get-session-token fails with profile

I'm trying to get a session token in order to set environment variables in order to use a tool which uploads to S3 but doesn't directly support AWS profiles.

aws sts get-session-token --profile myprofile
Enter MFA code for arn:aws:iam::1234567890:mfa/myid:

An error occurred (AccessDenied) when calling the GetSessionToken operation: 
Cannot call GetSessionToken with session credentials

Subsequent calls skip the MFA check, indicating that it passed ok.

Running get-session-token without the --profile parameter works fine:

$ aws sts get-session-token
{
    "Credentials": {
...

What could be going wrong? Am I even going about this the right way?

The relevant part of my ~/.aws/config:

[profile otherprofile]
mfa_serial=arn:aws:iam::xxx:mfa/myid
aws_access_key_id=xxx
aws_secret_access_key=xxx

[profile myprofile]
source_profile=otherprofile
region=ap-southeast-2
role_arn=arn:aws:iam::xxx:role/owner
mfa_serial=arn:aws:iam::xxx:mfa/myid
like image 362
Steve Bennett Avatar asked Apr 02 '19 05:04

Steve Bennett


People also ask

How do I get my AWS session token?

If you have an AWS session token, you can use it to sign in to AWS. To get your session token, go to the AWS Management Console and open the EC2 console. In the EC2 console, under the Security tab, click Session Tokens.

How do I resolve the error the security token included in the request is expired?

You must refresh the credentials before they expire. Another reason for expiration is using the incorrect time. A consistent and accurate time reference is crucial for many server tasks and processes. If your instance's date and time aren't set correctly, the AWS credentials are rejected.

Is AWS session token secret?

The session token and the access-key-id are useless without the accompanying secret. It is computationally infeasible to reverse-engineer the secret from key + token + signature.


1 Answers

Your initial call is using an IAM role. It is attempting to call get-session-token, which will return some temporary credentials.

However, when an IAM Role is used, the AWS CLI automatically uses your normal credentials to call assume-role, thereby receiving back a set of temporary credentials. It is not possible to call get-session-token with temporary credentials (from the role). This is why the error message says Cannot call GetSessionToken with session credentials.

If you wish to call get-session-token, you will need to do it with your normal credentials, as you have done in your second example.

like image 145
John Rotenstein Avatar answered Sep 19 '22 16:09

John Rotenstein