9

Been using https://github.com/broamski/aws-mfa to handle MFA for AWS with much success. I have three users who get the following error when trying to use it:

An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.

Any ideas on how to troubleshoot? I have 20+ users that are just fine; I'm at the end of my rope on what these three users are doing different. I've verified that they didn't do a bad copy-pasta into their credentials file.

Allen Fisher
  • 607
  • 2
  • 7
  • 28
  • 2
    It sounds like the MFA serial number associated with the user is incorrect. Check their IAM User record and verify the ID against the code used on their MFA device. – John Rotenstein Dec 15 '20 at 03:48
  • That ended up being the actual issue. Their key was listed as “never used” and a refresh of their key fixed it – Allen Fisher Dec 16 '20 at 02:18
  • This can also happen if username is mis-spelt (including upper/lower case) – RichVel Apr 19 '22 at 16:08
  • 3
    Since AWS introduced a Device Name for your Virtual MFA Device, this can cause confusion because previously the MFA serial would be; `arn:aws:iam::$ACCOUNT-NUMBER:mfa/$USER` & now it will be `arn:aws:iam::$ACCOUNT-NUMBER:mfa/$DEVICE-NAME` – paulg May 03 '23 at 21:39

3 Answers3

2

You should delete the default profile from your AWS machine, in the following files:

  • ~/.aws/credentials
  • ~/.aws/config

It worked for me.

Walid ABDAOUI
  • 21
  • 2
  • This works! That error is so unintuitive, it does not clarify that the `aws configure` does not the other command you run i.e. `aws sts get-session-token` and that is why you get cannot authorise. – Wojtek Dec 17 '21 at 14:06
2

I had the same issue and resolved it by modifying ~/.aws/config. No need to remove the default profile.

As @paulg mentioned in the comments, it should be arn:aws:iam::$ACCOUNT-NUMBER:mfa/$DEVICE-NAME instead of user name.

PS: The device name is case-sensitive.

jab
  • 396
  • 3
  • 15
1

you get this if you haven't specified a profile (either inline or as an env variable). You don't need to delete your default profile, if a named profile is not specified in the context then it uses the default profile.

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

$ export AWS_PROFILE=user1
Amos Folarin
  • 2,059
  • 20
  • 18