I set up mfa authentication with awscli, but it doesn't work.

Asked 2 years ago, Updated 2 years ago, 381 views

I want to be able to execute the command after mfa authentication using aws cli in the local environment.

Below is the configuration I tried.

cat~/.aws/credentials

 [default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY

[mfa]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY

~/.aws/config

 [profile default]
region=ap-northeast-1
output = json


Used to switch role and work with administrator accounts
[profile mfa]
role_arn=arn:aws:iam::switched ID:role/SwitchRole
source_profile=default
mfa_serial=arn:aws:iam::switching ID:mfa/mfa

Run the command as a trial. Even if you enter the MFA code, you get an error.

$aws s3ls --profile mfa

However, even if we take countermeasures, the following error will appear.
The MFA code seems to be wrong, but it is correct.

Anerror occurred (AccessDenied) when calling the AssumeRole operation: MultiFactorAuthentication failed with invalid MFA one time pass code.

Please let me know if you have any approaches to identify the cause 解決 work towards resolution.

aws aws-cli

2022-11-02 00:20

1 Answers

The question is about MFA, but the cause is different.This is because the switch role mixes the two permissions, making it impossible to know which and what needs to be configured.

The question statement is in the default profile.You must configure MFA here.

through /.aws/credentials

 [default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY

through /.aws/config

 [default]
region=ap-northeast-1
output = json
mfa_serial=arn:aws:iam::switching ID:mfa/mfa

First, check aws3ls and so on.MFA should be requested.

In the first place, there is no MFA in the role, so we don't need it.

through /.aws/credentials

No need.

through /.aws/config

 [profile mfa]
region=ap-northeast-1
output = json
role_arn=arn:aws:iam::switched ID:role/SwitchRole
source_profile=default

through /.aws/credentials

 [default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY

through /.aws/config

 [default]
region=ap-northeast-1
output = json
mfa_serial=arn:aws:iam::switching ID:mfa/mfa

[profile mfa]
region=ap-northeast-1
output = json
role_arn=arn:aws:iam::switched ID:role/SwitchRole
source_profile=default

Check aws3ls --profile mfa in combination.

2022-11-02 00:20

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

758 Error in x, y, and format string must not be None

776 M2 Mac fails to install rbenv install 3.1.3 due to errors

661 I'm a beginner at Flask. The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

856 Uncaught (inpromise) Error on Electron: An object could not be cloned

1070 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

© 2025 OneMinuteCode. All rights reserved.