1

It was recent past that I started working on AWS IAM.

My task is to ensure for a particular user, MFA code needs to be asked for all the commands when triggered from AWS CLI using temporary access credentials.

Here is what I did,

Using get-session-token I created the temporary credentials and set them in a profile.

when i execute aws s3 ls --profile <profile_name>, the cli does not ask for MFA code.

Unfortunately, nothing helped me out even though I referred many articles and responses on stackoverflow.

Please find the policy and the profile configuration that were set and used.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "BoolIfExists": {
                "aws:MultiFactorAuthPresent": "true"
            }
        }
    }
  ]
}

./aws/credentials file

[mfa_user]
aws_access_key_id = <AccessKeyId>
aws_secret_access_key = <SecretAccessKey>
aws_session_token = IQoJb3JpZ2luX2VjEKn//////////
mfa_serial = arn:aws:iam::9xxxxxxxxxxxx:mfa/some-user

Is there something that I am missing?

I followed the various online articles and nothing helped me out.

https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

enforce MFA for AWS console login, but not for API calls

Hari
  • 441
  • 6
  • 15
  • "nothing helped me out" what does it mean?. What exactly does not work? How exactly are you using CLI? Any error messages? – Marcin Dec 08 '20 at 09:56
  • What can the user do? Can they make _any_ API call, or are all API calls rejected? If you are using the AWS CLI with an MFA, then you will need to call [get-session-token](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) while passing an MFA value. It will return a set of temporary credentials that the user can then use to call AWS. – John Rotenstein Dec 08 '20 at 10:27
  • 1
    @Marcin, it does not ask MFA code when API calls are made – Hari Dec 08 '20 at 10:54
  • 1
    @JohnRotenstein, I did setup of temporary credentials that I received on calling get-session-token. Later I set those credentials into a profile. Unfortunately, when I make execute 'aws s3 ls', the aws cli does not ask MFA code. I want to enforce MFA code for any action/command – Hari Dec 08 '20 at 10:56
  • I edited the post for better understanding – Hari Dec 08 '20 at 11:09
  • You supply MFA once, when getting the credentials. You don't supply MFA on every subsequent API action. That's broadly how MFA works. When you log into a site that requires MFA then you supply MFA once and, once the session is established, you operate normally (without having to re-supply MFA at every turn). STS credentials have a limited time before they expire (at which time you need to get a new set of credentials, that will again require MFA). – jarmod Dec 08 '20 at 11:46

1 Answers1

1

You will not be prompted for the MFA value.

Instead, call get-session-token` and supply the MFA value. You will then be provided back a set of temporary credentials.

Those credentials can be used for any call that require MFA authorization.

For an example, see: Authenticate access using MFA through the AWS CLI

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470