About Tools Blog
Angelique Dawnbringer

AWS Basics: MFA

How to add an MFA to your user account using the Console

Pre-requisites

  • An authenticator app for your phone. We recommend:
    • Android: Google Authenticator
    • Iphone/Ipad: Google Authenticator
    • Windows Phone: Microsoft Authenticator
  • Or, a U2F key like Yubikey (highly recommended!)

Instructions

  1. Log in to your root or user-account
  2. Then go to the IAM service / https://console.aws.amazon.com/iam/
  3. In the navigation pane, choose Users
  4. In the User Name list, find your name/emailaddress
    • Depending on your current rights, you might see permission errors. Please continue
  5. Choose the Security credentials tab
  6. Next to: "Assigned MFA device", click the edit icon
  7. In the Manage MFA Device wizard, choose A virtual MFA device (phone-app) or U2F(for U2F/yubikey), and then click Next Step
  8. You might get a screen telling you to install an Authenticator app, if you haven't already please do so and click Next Step
  9. Use your authenticator app to scan the QR code
  10. In the Authentication Code 1 field, type the current code
  11. Wait until the code changes: Now type the next code in the Authentication Code 2 field
  12. Choose Activate Virtual MFA
  13. The MFA device should now be successfully associated. Click Finish

Done! However, please log-out and log back in, to get MFA-enabled privileges. Without re-logging, you will keep using outdated security credentials

Advanced: How to "change", "switch" or assume roles on the CLI

I assume you have already pre-configured your user and or profile. You will need the ARN of your MFA, which you can find under your IAM-user security-credentials tab.

$ aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

AWS currently supports using U2F security keys only in the AWS Management Console. Using U2F security keys for MFA is not currently supported in the AWS CLI and AWS API, or for access to MFA-protected API operations.

This will show you the following: (give you a new, temporary set of credentials)

{
"Credentials": {
    "SecretAccessKey": "AEROJDOOIWODJ",
    "SessionToken": "ALÖDMPOKD=OWQDOPKLÖSKD",
    "Expiration": "12309230123123",
    "AccessKeyId": "AWEPOIPOIASDASDASD"
    ;}
}

To change your credentials you have to overwrite your current environment variables.

Linux Bash / OS-X

$ export AWS_ACCESS_KEY_ID=AWEPOIPOIASDASDASD
$ export AWS_SECRET_ACCESS_KEY=AEROJDOOIWODJ
$ export AWS_SESSION_TOKEN=ALÖDMPOKD=OWQDOPKLÖSKD

Windows

$ set AWS_ACCESS_KEY_ID=AWEPOIPOIASDASDASD
$ set AWS_SECRET_ACCESS_KEY=AEROJDOOIWODJ
$ set AWS_SESSION_TOKEN=ALÖDMPOKD=OWQDOPKLÖSKD

You have now successfully assumed the new credentials

Author: Angelique Dawnbringer Published: 2009-07-11 13:23:00 Keywords:
  • AWS Basics
  • Add MFA
  • Multi-Factor-Authentication
  • IAM
  • Authenticator
  • Security
Modified: 2019-03-03 20:09:45