How to add an MFA to your user account using the Console
Pre-requisites
- An authenticator app for your phone. We recommend:
- Android: Google Authenticator
- Iphone/Ipad: Google Authenticator
- Windows Phone: Microsoft Authenticator
- Or, a U2F key like Yubikey (highly recommended!)
Instructions
- Log in to your root or user-account
- Then go to the IAM service / https://console.aws.amazon.com/iam/
- In the navigation pane, choose Users
- In the User Name list, find your name/emailaddress
- Depending on your current rights, you might see permission errors. Please continue
- Choose the Security credentials tab
- Next to: "Assigned MFA device", click the edit icon
- In the Manage MFA Device wizard, choose A virtual MFA device (phone-app) or U2F(for U2F/yubikey), and then click Next Step
- You might get a screen telling you to install an Authenticator app, if you haven't already please do so and click Next Step
- Use your authenticator app to scan the QR code
- In the Authentication Code 1 field, type the current code
- Wait until the code changes: Now type the next code in the Authentication Code 2 field
- Choose Activate Virtual MFA
- The MFA device should now be successfully associated. Click Finish
Done! However, please log-out and log back in, to get MFA-enabled privileges. Without re-logging, you will keep using outdated security credentials
Advanced: How to "change", "switch" or assume roles on the CLI
I assume you have already pre-configured your user and or profile. You will need the ARN of your MFA, which you can find under your IAM-user security-credentials tab.
$ aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
AWS currently supports using U2F security keys only in the AWS Management Console. Using U2F security keys for MFA is not currently supported in the AWS CLI and AWS API, or for access to MFA-protected API operations.
This will show you the following: (give you a new, temporary set of credentials)
{ "Credentials": { "SecretAccessKey": "AEROJDOOIWODJ", "SessionToken": "ALÖDMPOKD=OWQDOPKLÖSKD", "Expiration": "12309230123123", "AccessKeyId": "AWEPOIPOIASDASDASD" ;} }
To change your credentials you have to overwrite your current environment variables.
Linux Bash / OS-X
$ export AWS_ACCESS_KEY_ID=AWEPOIPOIASDASDASD
$ export AWS_SECRET_ACCESS_KEY=AEROJDOOIWODJ
$ export AWS_SESSION_TOKEN=ALÖDMPOKD=OWQDOPKLÖSKD
Windows
$ set AWS_ACCESS_KEY_ID=AWEPOIPOIASDASDASD
$ set AWS_SECRET_ACCESS_KEY=AEROJDOOIWODJ
$ set AWS_SESSION_TOKEN=ALÖDMPOKD=OWQDOPKLÖSKD
You have now successfully assumed the new credentials