Menu
I am trying to retrieve session token on the AWS CLI like so:
aws sts get-session-token --serial-number arn-string --token-code mfacode
where
arn-string is copied from the IAM management console, security credentials for the assigned
MFA device,format like arn:aws:iam:<number>:mfa/<name>
mfacode is taken from the registered virtual mfa deviceAn error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid.
However, I use that MFA device to login to the console in the browser just fine
I have only a default profile in my ~/.aws/, but I don't see how this would have any influence.
--token-code in hope to have it prompt me for the MFA device token -- same errorarn:aws:iam:<number>:user/<name> -- same error as can be expected since the aws get-session-id help clearly states it needs to be the arn of the mfa deviceI figure this has to do with arn-string rather than the token, but what ? Any idea on what causes this problem most welcome.
Regards, Olaf
378
You must refresh the credentials before they expire. Another reason for expiration is using the incorrect time. A consistent and accurate time reference is crucial for many server tasks and processes. If your instance's date and time aren't set correctly, the AWS credentials are rejected.
The error "the Security Token included in the Request in Invalid" can occur for multiple reasons: The user's credentials are inactive. Open the IAM console, click on the user, and in the Security Credentials tab, make sure the security credentials of the user are active.
How do I get my AWS access token? AWS Access Tokens are necessary to access AWS resources. You can generate an access token by using the AWS Management Console, the AWS Command Line Interface, or the AWS SDKs. The easiest way to generate an access token is to use the AWS Management Console.
Temporary security credentials for IAM users are requested using the AWS Security Token Service (AWS STS) service. Temporary credentials created with the AssumeRole API action last for one hour by default. After temporary credentials expire, they can't be reused.
Solved. maafk's comment nails it down. For the records and to the next poor soul stumbling into this problem:
The profile used must have themfa_serial entry. In my case added the arn-string for the mfa-device to my local default profile in ~/.aws/config like so:
[default]
region = eu-central-1
mfa_serial = arn:aws:iam:<number>:mfa/<name>
This string can be found in the console, IAM service under the user, security credentials.
138
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
