Skip to content

Generating Temporary Credentials

Jump to bottom
Paul Duvall edited this page Apr 9, 2019 · 6 revisions

Accessing AWS resources from the Command Line

When accessing the AWS API from the command line, you will need to first authenticate against an MFA token and update your local credentials prior to running the commands.

To obtain temporary credentials, here's an example you run:

aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

Your command will look like this:

aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/USERNAME --token-code 123456

You can obtain the full ARN for the serial-number above by following these steps:

  1. Go to your IAM console
  2. Select your User name
  3. Select the Security Credentials tab
  4. Copy the value from the Assigned MFA device field and place in your clipboard

To get the --token-code, go to your MFA device (e.g. Google Authenticator)

When running the aws sts get-session-token command from above, you should get a response like this:

"Credentials": {
    "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "SessionToken": "AQoDYXdzEJr...<remainder of security token>",
    "Expiration": "2018-10-11T10:09:50Z",
    "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
  }
}

If you used aws configure to configure your credentials, you can edit your configuration file by opening the credentials file:

sudo vim ~/.aws/credentials

and adding/updating the aws_access_key_id, aws_secret_access_key, and aws_session_token values you obtained when running the aws sts get-session-token command.

[default]
output = json
region = us-east-1
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoDYXdzEJr...<remainder of security token>

Save the file and run your commands.

Troubleshooting

Incorrect "Permanent" Credentials

When calling aws sts get-session-token

Error An error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid.

Solution Update your access keys to use your "permanent" access key id and secret access key as shown below:

sudo vim ~/.aws/credentials

[default]
output = json
region = us-east-1
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Access Denied

When running a command (e.g. aws s3 ls) from the AWS CLI without temporary credentials:

Error An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Solution To fix, update your credentials to use the aws_session_token as shown below:

[default]
output = json
region = us-east-1
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoDYXdzEJr...<remainder of security token>

Unable to Validate MFA Code

Error An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.

Solution This usually occurs when running a aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token command from the AWS CLI using the wrong --serial-number. This also occurs if you're using the ARN for the user (vs. mfa):

Incorrect MFA Token

Error An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed with invalid MFA one time pass code.

Solution Enter the correct 6-digit MFA token

Incorrect Temporary Session Token

Incorrectly entering temporary session token

Error An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.

Solution Ensure the aws_session_token in ~/.aws/credentials is valid.

Incorrect Temporary Access Keys

Error An error occurred (SignatureDoesNotMatch) when calling the ListBuckets operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Solution Ensure the aws_access_key_id and aws_secret_access_key in ~/.aws/credentials are valid.

Invalid or Missing Session Token

Error An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.

Solution Ensure the aws_access_key_id in ~/.aws/credentials is valid.

Local Credentials Contain the Session Credentials

Attempting to run the aws sts get-session-token command when the local credentials contain the session credentials:

Error An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

Solution Ensure the aws_access_key_id and aws_secret_access_key in ~/.aws/credentials are valid.

CloudFormation Stack Error

When launching a CloudFormation stack from the CLI, here's an example you might see if access to SQS were denied without MFA:

API: sqs:CreateQueue Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.

Invalid Credentials Calling a Specific Command

Invalid credentials when calling a specific command (e.g. in this case, aws s3 ls):

Error An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.

Solution Ensure the aws_access_key_id and aws_secret_access_key, and aws_session_token in ~/.aws/credentials are valid.

Resources for Automating Credentials Generation

Clone this wiki locally