aws sts get-session-token

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-session-token.html

aws sts get-session-token --profile "$1"  --serial-number "$2" --token-code $MFA_CODE

• Duration: 12 hours (43,200 seconds) as the default. Valid range: 15 minutes to 36 hours (129,600 seconds).

Examples[edit]

• aws sts get-session-token --serial-number <mfa_device> --token-code <token>
• aws sts get-session-token --serial-number arn:aws:iam::62405745487395:mfa/yourname --token-code 123456
• aws sts get-session-token --serial-number arn:aws:iam::62405745487395:mfa/yourname --duration-seconds 129600 --token-code 123456
• aws sts get-session-token --serial-number arn:aws:iam::62405745487395:mfa/yourname --duration-seconds 129600 --token-code 123456 --output text

Synopsys[edit]

  get-session-token
[--duration-seconds <value>]
[--serial-number <value>]
[--token-code <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Example[edit]

aws sts get-session-token \
    --duration-seconds 900 \
    --serial-number "arn:aws:iam::62405745487395:mfa/yourname" \
    --token-code 123456

{
    "Credentials": {
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
        "SessionToken":  "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
       "Expiration": "2020-05-19T18:06:10+00:00"
   }
}

Errors[edit]

An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code.  Please verify your MFA serial number is valid and associated with this user.
Solution: make sure you are using a mfa ARN, arn:aws:iam::62405745487395:mfa/yourname

An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials
Solution: make sure to add your generated credentials including AWS_SESSION_TOKEN to your credentials file

An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, must provide both MFA serial number and one time pass code.

An error occurred (ExpiredToken) when calling the XXX operation: The provided token has expired.

An error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid

An error occurred (ExpiredToken) when calling the GetSessionToken operation: The security token included in the request is expired

Related terms[edit]

• MFA
• aws iam list-virtual-mfa-devices --output text
• AWS_SESSION_TOKEN
• AWS_DEFAULT_REGION
• aws-sts-get-session-token script
• Terraform AWS provider: assume_role
• aws sts get-federation-token
• 1password
• EKS: aws eks get-token
• aws sts get-access-key-info

Activities[edit]

• Read https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
• Using temporary credentials with AWS resources

See also[edit]

• AWS STS (sts:), aws sts [ get-session-token | get-caller-identity | assume-role | assume-role-with-web-identity | assume-role-with-saml | get-access-key-info ]
• aws iam [ create-user, create-group, get-user, list-users | list-policies | list-attached-user-policies | attach-user-policy | list-attached-user-policies | list-roles | get-account-summary | put-group-policy | put-role-policy | put-user-policy | create-login-profile | aws iam delete-virtual-mfa-device | aws iam list-virtual-mfa-devices | aws iam create-saml-provider | aws iam list-account-aliases | aws iam create-role | aws iam change-password| enable-mfa-device | list-instance-profiles