How to use MFA with AWS CLI

In order to use MFA with the AWS CLI, you need to use the STS service to generate temporary credentials. At the beginning of each day (by default, temporary credentials are good for 12 hours) you need to run the following:

aws sts get-session-token --serial-number arn:aws:iam::ACCOUNTNUMBER:mfa/IAMUSERNAME --token-code ###### > output.txt

This is the command for virtual tokens. Physical tokens have actual serial numbers. In this command, you would replace ACCOUNTNUMBER, IAMUSERNAME, and ###### appropriately, where ###### is the code from your virtual token.

Now open output.txt and run the following commands, replacing AAAAAA, BBBBBB, CCCCCC with the relevant values from output.txt. These are Linux/Mac export commands. For Windows use ‘set’ instead of ‘export’)

export AWS_ACCESS_KEY_ID=AAAAAA
export AWS_SECRET_ACCESS_KEY=BBBBBB
export AWS_SESSION_TOKEN=CCCCCC

As you might imagine, it would make life easier to script this out instead of doing it manually. output.txt is in JSON (unless you’ve configured your CLI output differently) for easy parsing.

Posted in AWS, cloud, cloud computing

•   LinkedIn
•  Twitter
•   Facebook
•   AngelList
•   Stack Overflow
•  SlideShare
•  GitHub
•  Colnect

• Student Loan Bill Tracker
• The Anomaly Response Network
• The Mars Society
• Coca-Cola Scholars Foundation
• TechStars
• Leukemia & Lymphoma Society
• Cystic Fibrosis Foundation
• PRISM
• Free Bikes 4 Kidz
• Cincinnati Works
• Cincinnati Youth Collaborative

• Feeney Genealogy Project

Reading:

The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations

by Gene Kim

It Doesn't Have to Be Crazy at Work

by Jason Fried

Zero to One: Notes on Startups, or How to Build the Future

by Peter Thiel

Creativity, Inc.: Overcoming the Unseen Forces That Stand in the Way of True Inspiration

by Ed Catmull