If 2FA is enabled on your AWS account, in order to use aws cli command from terminal you need to get the fresh credentials. First get the arn:
aws iam list-mfa-devices --user-name meandmyself
Then get the creds:
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
The arn-of-the-mfa-device is from the first command and code-from-token is just the 6-digit code from your 2FA app on your phone or somewhere.
Then copy paste all of the fields in ~/.aws/credentials file, but put it under a different profile since you stil need the non-expiration creds used in commands above.
Example:
antisa@antisa-XPS-13-9310:~$ aws iam list-mfa-devices
{
"MFADevices": [
{
"UserName": "ante",
"SerialNumber": "arn:aws:iam::xxxxxxxxxxxx:mfa/meandmyself",
"EnableDate": "2024-05-09T11:50:38+00:00"
}
]
}
antisa@antisa-XPS-13-9310:~$ aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxx:mfa/meandmyself --token-code 123456
{
"Credentials": {
"AccessKeyId": "ASxxxxxxxxxxxx",
"SecretAccessKey": "wBxxxxxxxxxxxxxxxxxxxxxxxx",
"SessionToken": "IQoJb3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"Expiration": "2024-10-16T23:56:17+00:00"
}
}
The format in ~/.aws/credentials should be like:
[myprofile-session] aws_access_key_id = xxxxxxxxxxxxxxxxxxx aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx aws_session_token = IQoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Here's a bash script that adds the creds each time to the file. Just pass it token-code and add your serial number. Remember to source it e.g.
. ~/.local/bin/aws_get_session.sh 1234
Or just use this
#!/bin/bash # run this script with source (.) command since we need access to # the exported AWS_PROFILE variable below in the parent shell e.g. # . ~/.local/bin/aws_get_session.sh 1234 # debug # set -x if [ "${BASH_SOURCE[0]}" -ef "$0" ] then echo "Hey, you should source this script, not execute it!" echo "e.g. '. aws_get_session.sh 1234'" exit 1 fi if [ -z $1 ];then echo "You must provide 2FA token!" return 1 fi # colors On_Yellow='\033[43m' On_White='\033[47m' NC='\033[0m' # No Color echo "Deleting old creds..." sed -i '/\[myprofile-session\]/,+4d' ~/.aws/credentials echo "Creating new creds..." # use existing profile KST=$(AWS_PROFILE=myprofile aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxxxxxx:mfa/meandmyself --token-code "$1") cat << EOF >> ~/.aws/credentials [myprofile-session] aws_access_key_id = $(echo "$KST" | jq '.Credentials.AccessKeyId' | tr -d '"') aws_secret_access_key = $(echo "$KST" | jq '.Credentials.SecretAccessKey' | tr -d '"') aws_session_token = $(echo "$KST" | jq '.Credentials.SessionToken' | tr -d '"') EOF # below export will only work when sourcing this script export AWS_PROFILE=myprofile-session echo -e "Current AWS_PROFILE set to ${On_Yellow}$AWS_PROFILE${NC}"