I set up mfa authentication with awscli, but it doesn't work.

Asked 1 years ago, Updated 1 years ago, 359 views

I want to be able to execute the command after mfa authentication using aws cli in the local environment.

Below is the configuration I tried.

cat~/.aws/credentials

 [default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY

[mfa]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY

~/.aws/config

 [profile default]
region=ap-northeast-1
output = json


Used to switch role and work with administrator accounts
[profile mfa]
role_arn=arn:aws:iam::switched ID:role/SwitchRole
source_profile=default
mfa_serial=arn:aws:iam::switching ID:mfa/mfa

Run the command as a trial. Even if you enter the MFA code, you get an error.

$aws s3ls --profile mfa

However, even if we take countermeasures, the following error will appear.
The MFA code seems to be wrong, but it is correct.

Anerror occurred (AccessDenied) when calling the AssumeRole operation: MultiFactorAuthentication failed with invalid MFA one time pass code.

Please let me know if you have any approaches to identify the cause 解決 work towards resolution.

aws aws-cli

2022-11-02 00:20

1 Answers

The question is about MFA, but the cause is different.This is because the switch role mixes the two permissions, making it impossible to know which and what needs to be configured.

The question statement is in the default profile.You must configure MFA here.

through /.aws/credentials

 [default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY

through /.aws/config

 [default]
region=ap-northeast-1
output = json
mfa_serial=arn:aws:iam::switching ID:mfa/mfa

First, check aws3ls and so on.MFA should be requested.

In the first place, there is no MFA in the role, so we don't need it.

through /.aws/credentials

No need.

through /.aws/config

 [profile mfa]
region=ap-northeast-1
output = json
role_arn=arn:aws:iam::switched ID:role/SwitchRole
source_profile=default

through /.aws/credentials

 [default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY

through /.aws/config

 [default]
region=ap-northeast-1
output = json
mfa_serial=arn:aws:iam::switching ID:mfa/mfa

[profile mfa]
region=ap-northeast-1
output = json
role_arn=arn:aws:iam::switched ID:role/SwitchRole
source_profile=default

Check aws3ls --profile mfa in combination.

2022-11-02 00:20

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

642 /usr/bin/google-chrome:symbol lookup error:/usr/bin/google-chrome: undefined symbol:gbm_bo_get_modifier

549 PHP ssh2_scp_send fails to send files as intended

557 Scrap text information after the "View More" button when searching in the Yahoo! News search window

537 Uncaught (inpromise) Error on Electron: An object could not be cloned

709 When building Fast API+Uvicorn environment with PyInstaller, console=False results in an error

© 2024 OneMinuteCode. All rights reserved.