Ashwin authenticates using
an MFA in order to access
AWS resources through the CLI


How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?

It's a best practice to protect your account and its resources by using a multi-factor authentication device (MFA). If you plan to interact with your resources using the AWS Command Line Interface (CLI) while using an MFA device, you must create a temporary session token instead.

After you install and configure the latest version of the AWS CLI, run the sts get-session-token AWS CLI command, replacing the variables with information from your account, resources, and MFA device:

$ aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

You'll receive output with temporary credentials and an expiration time for those temporary credentials (by default, 12 hours), in a format similar to the following:

"Credentials": {
    "SecretAccessKey": "secret-access-key",
    "SessionToken": "temporary-session-token",
    "Expiration": "expiration-date-time",
    "AccessKeyId": "access-key-id"

Note: You can specify an expiration duration (in seconds) using the --duration-seconds option in the same command, where the value can range from 900 seconds (15 minutes) to 129600 seconds (36 hours).

Using temporary credentials with environment variables

You can use temporary credentials by exporting their values to environment variables using the following commands (in Linux):

$ export AWS_ACCESS_KEY_ID=<Access-Key-as-in-Previous-Output>
$ export AWS_SECRET_ACCESS_KEY=<Secret-Access-Key-as-in-Previous-Output>
$ export AWS_SESSION_TOKEN=<Session-Token-as-in-Previous-Output>

For Windows, you can use the following commands instead:

> set AWS_ACCESS_KEY_ID=<Access-Key-as-in-Previous-Output>
> set AWS_SECRET_ACCESS_KEY=<Secret-Access-Key-as-in-Previous-Output>
> set AWS_SESSION_TOKEN=<Session-Token-as-in-Previous-Output>

Using temporary credentials with named profiles

You can also use named profiles to specify which commands require MFA authentication. To do so, edit the credentials file in the .aws folder in the home directory of the user and add a new profile configuration for issuing MFA-authenticated commands. Here's an example profile configuration:

output = json
region = us-east-1
aws_access_key_id = <Access-key-as-in-returned-output>
aws_secret_access_key = <Secret-access-key-as-in-returned-output>
aws_session_token = <Session-Token-as-in-returned-output>

If the AWS CLI is configured using the aws configure command, there is also a default configuration, and that configuration is used to for commands that don't require MFA authentication.

Note: If you use profiles to authenticate commands made by the AWS CLI, specify --profile profile-name to ensure that the calls are MFA-authenticated.

When these credentials expire, execute the get-session-token command again and export the returned values to environment variables or to the profile configuration. You might consider running a script or a cron job in the background that checks for expiration and prompts for re-authentication.

You can require that a user be authenticated using an MFA to perform particular API actions by using the aws:MultiFactorAuthPresent or aws:MultiFactorAuthAge conditions in an IAM policy.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-01-10

Updated: 2017-06-09