If 2FA is enabled on your AWS account, in order to use aws cli command from terminal you need to get the fresh credentials. First get the arn:

aws iam list-mfa-devices --user-name meandmyself

Then get the creds:

aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

The arn-of-the-mfa-device is from the first command and code-from-token is just the 6-digit code from your 2FA app on your phone or somewhere.

Then copy paste all of the fields in ~/.aws/credentials file, but put it under a different profile since you stil need the non-expiration creds used in commands above.

Example:

antisa@antisa-XPS-13-9310:~$ aws iam list-mfa-devices
{
    "MFADevices": [
        {
            "UserName": "ante",
            "SerialNumber": "arn:aws:iam::xxxxxxxxxxxx:mfa/meandmyself",
            "EnableDate": "2024-05-09T11:50:38+00:00"
        }
    ]
}

antisa@antisa-XPS-13-9310:~$ aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxx:mfa/meandmyself --token-code 123456
{
    "Credentials": {
        "AccessKeyId": "ASxxxxxxxxxxxx",
        "SecretAccessKey": "wBxxxxxxxxxxxxxxxxxxxxxxxx",
        "SessionToken": "IQoJb3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "Expiration": "2024-10-16T23:56:17+00:00"
    }
}

The format in ~/.aws/credentials should be like:

[myprofile-session]
aws_access_key_id = xxxxxxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws_session_token = IQoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here's a bash script that adds the creds each time to the file. Just pass it token-code and add your serial number. Remember to source it e.g.

. ~/.local/bin/aws_get_session.sh 1234

aws_get_session.sh

#!/bin/bash
# run this script with source (.) command since we need access to 
# the exported AWS_PROFILE variable below in the parent shell e.g.
# . ~/.local/bin/aws_get_session.sh 1234
 
#set -x
# colors
On_Yellow='\033[43m'
On_White='\033[47m'
NC='\033[0m' # No Color
 
echo "Deleting old creds..."
sed -i '/\[myprofile-session\]/,+4d' ~/.aws/credentials
 
echo "Creating new creds..."
# use existing profile
KST=$(AWS_PROFILE=myprofile aws sts get-session-token --serial-number arn:aws:iam::xxxxxxxxxxxxxx:mfa/meandmyself --token-code "$1")
cat << EOF >> ~/.aws/credentials
[myprofile-session]
aws_access_key_id = $(echo "$KST" | jq '.Credentials.AccessKeyId' | tr -d '"')
aws_secret_access_key = $(echo "$KST" | jq '.Credentials.SecretAccessKey' | tr -d '"')
aws_session_token = $(echo "$KST" | jq '.Credentials.SessionToken' | tr -d '"')
 
EOF
 
# below export will only work when sourcing this script
export AWS_PROFILE=myprofile-session
echo -e "Current AWS_PROFILE set to ${On_Yellow}$AWS_PROFILE${NC}"

• aws-cli/2.12.5 Python/3.11.4 Linux/6.8.0-45-generic exe/x86_64.ubuntu.22 prompt/off

• https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli
• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html