I'm trying to get a session token in order to set environment variables in order to use a tool which uploads to S3 but doesn't directly support AWS profiles.
aws sts get-session-token --profile myprofile
Enter MFA code for arn:aws:iam::1234567890:mfa/myid:
An error occurred (AccessDenied) when calling the GetSessionToken operation:
Cannot call GetSessionToken with session credentials
Subsequent calls skip the MFA check, indicating that it passed ok.
Running get-session-token
without the --profile
parameter works fine:
$ aws sts get-session-token
{
"Credentials": {
...
What could be going wrong? Am I even going about this the right way?
The relevant part of my ~/.aws/config
:
[profile otherprofile]
mfa_serial=arn:aws:iam::xxx:mfa/myid
aws_access_key_id=xxx
aws_secret_access_key=xxx
[profile myprofile]
source_profile=otherprofile
region=ap-southeast-2
role_arn=arn:aws:iam::xxx:role/owner
mfa_serial=arn:aws:iam::xxx:mfa/myid
If you have an AWS session token, you can use it to sign in to AWS. To get your session token, go to the AWS Management Console and open the EC2 console. In the EC2 console, under the Security tab, click Session Tokens.
You must refresh the credentials before they expire. Another reason for expiration is using the incorrect time. A consistent and accurate time reference is crucial for many server tasks and processes. If your instance's date and time aren't set correctly, the AWS credentials are rejected.
The session token and the access-key-id are useless without the accompanying secret. It is computationally infeasible to reverse-engineer the secret from key + token + signature.
Your initial call is using an IAM role. It is attempting to call get-session-token
, which will return some temporary credentials.
However, when an IAM Role is used, the AWS CLI automatically uses your normal credentials to call assume-role
, thereby receiving back a set of temporary credentials. It is not possible to call get-session-token
with temporary credentials (from the role). This is why the error message says Cannot call GetSessionToken with session credentials
.
If you wish to call get-session-token
, you will need to do it with your normal credentials, as you have done in your second example.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With