aws sts get-session-token … --token-code … fails with InvalidClientTokenId, but MFA console login working

Question

 I am trying to retrieve session token on the AWS CLI like:

aws sts get-session-token --serial-number arn-string --token-code mfacode

where

* arn-string is copied from the IAM management console, security credentials for the assigned MFA device,format like "arn:aws:iam:<number>:mfa/<name>"

* "mfacode" is taken from the registered virtual MFA device

error:

An error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid.

However, I use that MFA device to log in to the console in the browser, I have only a default profile in my ~/.aws/, but I don't see how this would have any influence.

Answer 1

The profile used must have the "mfa_serial" entry. In my case added the "arn-string" for the MFA-device to my local default profile in "~/.aws/config" like so:

[default]

region = eu-central-1

mfa_serial = arn:aws:iam:<number>:mfa/<name>

This string can be found in the console, IAM service under the user, security credentials.

Do Check out the AWS Certification Course offered by Intellipaat.