Menu
How do I type in the MFA code when using the AWS CLI? I have checked the documentation page of IAM http://docs.aws.amazon.com/cli/latest/reference/iam/index.html.
I have the MFA-Devices already enabled under my username.
aws iam list-mfa-devices --user-name X returns
{ "MFADevices": [ { "UserName": "X", "SerialNumber": "arn:aws:iam::+++:mfa/X", "EnableDate": "2016-01-13T23:15:43Z" } ] } 
542
Note: IAM users using the AWS CLI with long-term credentials are denied access and must use MFA to authenticate. Therefore, be sure to use an MFA token to authenticate your CLI session.
If you use profiles to authenticate commands using the AWS CLI, specify the --profile option followed by the profile name to verify that the calls authenticate using MFA. For example, this command uses the default profile credentials and isn't authenticated with MFA.
Signing in with a virtual MFA device If MFA is required for the user, a second sign-in page appears. In the MFA code box, the user must enter the numeric code provided by the MFA application. If the MFA code is correct, the user can access the AWS Management Console.
The CLI can manage a lot of this for you if you're using roles. Described here: http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
In my credentials file I have:
[my_iam_user] aws_access_key_id = AKIABLAHBLAHBLAHBLAH aws_secret_access_key = <blah> region = us-east-1 [my_admin_role] role_arn = arn:aws:iam::123456789123:role/my_admin_role source_profile = my_iam_user mfa_serial = arn:aws:iam::123456789123:mfa/my_iam_user region = us-east-1 Note the mfa_serial entry. You can get this value from your user details in the AWS IAM console. This entry tells the CLI that MFA is required for that role.
When I call aws s3 ls --profile my_admin_role it says Enter MFA code:, after I paste in the code it returns the listing.
Note: I haven't found a way to get the CLI to ask for MFA when calling a user profile (--profile my_iam_user) only calling a role profile triggers the MFA request.
The MFA token is then carried forward and the user profile can be used as well:
aws sts get-caller-identity --profile my_iam_user # { # "Account": "123456789123", # "UserId": "AIDABLAHBLAHBLAHBLAH", # "Arn": "arn:aws:iam::123456789123:user/my_iam_user" # } aws sts get-caller-identity --profile my_admin_role # { # "Account": "123456789123", # "UserId": "AROABLAHBLAHBLAHBLAH:AWS-CLI-session-1234567890", # "Arn": "arn:aws:sts::123456789123:assumed-role/my_admin_role/AWS-CLI-session-1234567890" # } Call aws sts get-session-token --serial-number <serial> --token-code <code> documented here. This will give you a temporary security token. Documentation on using the temporary security token can be found here.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
