You can configure the AWS CLI to assume an IAM role for you in combination with MFA. If you are a power user of the CLI, you will realize that you have to enter your MFA token every 60 minutes, which is annoying.
You will learn how to fix that in the following.
AWS account setup
Let’s assume we have three AWS accounts.
Account id | Alias | Description |
---|---|---|
000000000000 | iam | Only IAM users are created in this account |
111111111111 | dev | Development workloads |
222222222222 | prod | Production workloads |
Besides that:
- In the
iam
account, an IAM user namedmichael
is created. MFA is enabled, and an access key is generated. - In the
dev
andprod
accounts, the following IAM role is created (CloudFormation template):
|
Ensure that you set the
MaxSessionDuration
property! The default is 60 minutes.
Configuring the AWS CLI
The AWS CLI stores the configuration in ~/.aws/credentials
(or %UserProfile%.awscredentials
if you are using Windows).
First of all, configure the access key from the michael
IAM user using the aws_access_key_id
and aws_secret_access_key
configuration values. The value between the square brackets is called the profile name.
[iam] |
After that, configure the IAM roles you want to assume. The following configuration values are used:
Configuration value | Description |
---|---|
role_arn | ARN of the role you want to assume |
source_profile | Reference the profile of the IAM user |
mfa_serial | ARN of the virtual MFA device or the serial number for a hardware device |
duration_seconds | The expiry of the credentials returned by the assume role call |
Ensure that you set the
duration_seconds
property! The default is 60 minutes.
Add the following profiles to the credentials
file.
[dev] |
Using the profiles
The --profile
parameter lets you specify the profile you want to use when working with the CLI.
aws --profile dev s3 ls |
The AWS CLI will ask you for your MFA token the first time you make a call.
You can also set the AWS_PROFILE
environment variable to avoid typing --profile ...
all the time.
export AWS_PROFILE=dev |
Summary
To avoid frequent re-enter of the MFA token when using the AWS CLI, you have to adjust the MaxSessionDuration
of the IAM role and the duration_seconds
configuration value of the AWS CLI.
- Master Your VMware Skills: Your 2025 Guide to Earning the 1V0-21.20 Certification for IT Career Advancement
- Mastering AWS Certified Cloud Practitioner CLF-C02: Your 2025 Blueprint to Boost Career Opportunities
- AWS Security Monitoring in 2023: Untangle the chaos
- Mastering Cloud Security: Your 2025 Guide to Achieving the AZ-500 Certification and Elevating Your Career
- Amazon Elasticsearch Service revised