Search code examples
amazon-web-servicesamazon-iamaws-iam-authenticator

aws cli does not ask for MFA code on the test user

It was recent past that I started working on AWS IAM.

My task is to ensure for a particular user, MFA code needs to be asked for all the commands when triggered from AWS CLI using temporary access credentials.

Here is what I did,

Using get-session-token I created the temporary credentials and set them in a profile.

when i execute aws s3 ls --profile <profile_name>, the cli does not ask for MFA code.

Unfortunately, nothing helped me out even though I referred many articles and responses on stackoverflow.

Please find the policy and the profile configuration that were set and used.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "BoolIfExists": {
                "aws:MultiFactorAuthPresent": "true"
            }
        }
    }
  ]
}

./aws/credentials file

[mfa_user]
aws_access_key_id = <AccessKeyId>
aws_secret_access_key = <SecretAccessKey>
aws_session_token = IQoJb3JpZ2luX2VjEKn//////////
mfa_serial = arn:aws:iam::9xxxxxxxxxxxx:mfa/some-user

Is there something that I am missing?

I followed the various online articles and nothing helped me out.

https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

enforce MFA for AWS console login, but not for API calls

Solution

  • You will not be prompted for the MFA value.

    Instead, call get-session-token` and supply the MFA value. You will then be provided back a set of temporary credentials.

    Those credentials can be used for any call that require MFA authorization.

    For an example, see: Authenticate access using MFA through the AWS CLI