Using MFA with AWS CLI
If you've ever encountered an 'explicit deny in an identity-based policy' error when using the AWS CLI, it's likely that your organization's security policies require Multi-Factor Authentication (MFA) for all CLI sessions. This is a common security measure, and here’s a step-by-step guide on how to authenticate with MFA and get back to work.
The Problem: Explicit Deny
The error message 'explicit deny in an identity-based policy' usually means that a policy, such as a ForceMFA policy, is blocking your access because your AWS CLI session has not been authenticated with MFA.
The Solution: Use MFA with AWS CLI
Here’s how to resolve this by creating a temporary, MFA-authenticated session.
1. Check if You Have an MFA Device Configured
First, ensure you have an MFA device associated with your IAM user. You can check this by running:
aws iam list-mfa-devices --user-name your-user-name2. Get Temporary Credentials with MFA
Next, you need to get temporary credentials by calling the `sts get-session-token` command. You will need your MFA device's serial number (ARN) and a one-time token from your authenticator app.
# Replace the SERIAL-NUMBER and TOKEN-CODE with your own
aws sts get-session-token \
--serial-number arn:aws:iam::123456789012:mfa/your-user-name \
--token-code 123456 \
--duration-seconds 3600
This command will return a set of temporary credentials, including an `AccessKeyId`, `SecretAccessKey`, and `SessionToken`.
{
"Credentials": {
"AccessKeyId": "ASIA...",
"SecretAccessKey": "...",
"SessionToken": "...",
"Expiration": "..."
}
}
3. Configure a Temporary Profile with the MFA Credentials
Now, you can create a new, temporary profile in your AWS configuration with these credentials. This keeps your standard IAM user credentials separate from your temporary, MFA-authenticated session.
# Replace the credentials with the ones you received
aws configure set aws_access_key_id ASIA... --profile mfa-session
aws configure set aws_secret_access_key YOUR_SECRET --profile mfa-session
aws configure set aws_session_token YOUR_SESSION_TOKEN --profile mfa-session
aws configure set region us-east-1 --profile mfa-session
4. Use the MFA-Authenticated Profile
You can now use this temporary profile for your AWS CLI commands by using the `--profile` flag. This will allow you to bypass the MFA policy block.
# Retry your S3 command with the new MFA-authenticated profile
aws s3 cp s3://your-bucket/your-file . --profile mfa-session
Alternative: Create a Script to Automate the Process
To make this process faster in the future, you can use a simple shell script to automate getting and setting your temporary credentials.
Create a file named `mfa-session.sh`:
#!/bin/bash
# mfa-session.sh
echo "Enter your MFA token:"
read mfa_token
# Get session token (replace with your MFA device ARN)
output=$(aws sts get-session-token \
--serial-number arn:aws:iam::123456789012:mfa/your-user-name \
--token-code $mfa_token \
--duration-seconds 3600 \
--output json)
# Extract credentials using jq
access_key=$(echo $output | jq -r '.Credentials.AccessKeyId')
secret_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
session_token=$(echo $output | jq -r '.Credentials.SessionToken')
# Set environment variables for the current session
export AWS_ACCESS_KEY_ID=$access_key
export AWS_SECRET_ACCESS_KEY=$secret_key
export AWS_SESSION_TOKEN=$session_token
echo "MFA session activated. You can now run AWS CLI commands."
Make the script executable (`chmod +x mfa-session.sh`) and run it (`./mfa-session.sh`) whenever you need to start a new MFA-authenticated session.