login issue with aws command line interface with MFA code/token

4
votes

With amazon aws command line interface, I can't successfully login with MFA token

I can login via web interface, MFA has been enable. If I login via web interface, I need provide: Account, User Name, Password, enable MFA token, MFA code

Now I need do it from command line interface, installed awscli tool, following amazon document http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE      # I think this is Username
aws_secret_access_key=wJalrXUtnFEM          # I think this is Password
aws_session_token=example123324             # I think this is MFA code

Not sure how to set AWS Account (or called alias) and enable MFA token option.

Any ideas?

enter image description here

4
amazon-web-servicesamazon-s3amazon-ec2aws-cli

4 Answers

1
votes

Those are the wrong credentials for logging into the AWS web console.

What you are showing is the Access Key (they always start with AKI) of the Access Credentials (you could also use a Signing Certificate).

To log into the web console you need Sign-In Credentials, which consist of a username (email) and a password. Optionally, you can (and should) also enable Multi-Factor Authentication.

You have selected the Account Alias when you signed up for AWS. If you have forgotten it, but still have a working Access Key, see the documentation on how to retrieve the alias: http://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html

5
votes

From mid-October, there is an actual solution to this problem: the aws-cli now supports assuming a role and use a MFA-based getting the role.

The way to use it is explained in this article. It works great.

BTW, some AWS-independent devs have implemented another way to use MFA with the CLI: https://github.com/lonelyplanet/aws-mfa

0
votes

To login using mfa token you first need to integrate your mfa device (be it virtual or physical). To enable mfa token option you need to first login to web interface then go to iam then users. Now search for your user id and select it. Under security credentials tab you will get enable mfa device option. Click on it and you will get a wizard for mfa integrations. For detailed steps follow the link http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/virtual-mfa.html

Thanks

Rajarshi Haldar

0
votes

I have released very easy-to-use scripts that make it easy to enable or disable a virtual MFA device, and to start MFA and role sessions from the command line. They can be found in GitHub at https://github.com/vwal/awscli-mfa