22

I'm trying to get a session token in order to set environment variables in order to use a tool which uploads to S3 but doesn't directly support AWS profiles.

aws sts get-session-token --profile myprofile
Enter MFA code for arn:aws:iam::1234567890:mfa/myid:

An error occurred (AccessDenied) when calling the GetSessionToken operation: 
Cannot call GetSessionToken with session credentials

Subsequent calls skip the MFA check, indicating that it passed ok.

Running get-session-token without the --profile parameter works fine:

$ aws sts get-session-token
{
    "Credentials": {
...

What could be going wrong? Am I even going about this the right way?

The relevant part of my ~/.aws/config:

[profile otherprofile]
mfa_serial=arn:aws:iam::xxx:mfa/myid
aws_access_key_id=xxx
aws_secret_access_key=xxx

[profile myprofile]
source_profile=otherprofile
region=ap-southeast-2
role_arn=arn:aws:iam::xxx:role/owner
mfa_serial=arn:aws:iam::xxx:mfa/myid
Steve Bennett
  • 114,604
  • 39
  • 168
  • 219
  • 3
    The first error `when calling the GetSessionToken` suggests that the credentials in the `myprofile` profile are "session credentials", which are already the result of a `get-session-token` call. You should check the `.aws/credentials` file and confirm that the credentials for `myprofile` are associated with an IAM User. – John Rotenstein Apr 02 '19 at 06:21
  • My `~/.aws/credentials` file only lists a `[default]` profile, with access key id and secret access key. `~/.aws/config` lists the `[profile myprofile]`, which contains a `role_arn=arn:aws:iam::...:role/owner` and `mfa_serial=arn:aws:iam::....:mfa/myid` – Steve Bennett Apr 02 '19 at 06:28
  • Could you please clarify what you are wanting to achieve by calling `get-session-token`? If there is an MFA associated with the role and you use `myprofile`, are you able to call the desired APIs? – John Rotenstein Apr 02 '19 at 06:41
  • Yes, I can call APIs with `--profile myprofile`. I want to use [a tool](https://github.com/mapbox/mapbox-tile-copy) that doesn't directly support `--profile` so I thought fetching a token myself and using it to set `AWS_SESSION_TOKEN` might be away around that. I could be completely misunderstanding though. – Steve Bennett Apr 02 '19 at 06:44
  • Hmm. Maybe my actual issue is that I can't specify the *role* I want to upload with, rather than the *profile*. – Steve Bennett Apr 02 '19 at 06:48
  • Would you have a problem with creating an IAM User for use with that application? This way, you can provide it with an Access Key and Secret Key and track exactly what it is doing in the AWS account. This is preferable to assuming an IAM Role each time. – John Rotenstein Apr 02 '19 at 06:48
  • I wouldn't have access to do that, and I suspect the people that manage the accounts would have a problem with that. – Steve Bennett Apr 02 '19 at 06:49
  • I that case, you have a problem. You need to provide the tool with long-term credentials, not a Role to assume (because assume a role requires credentials to call `assume-role`)! If you are doing something that the people who manage the accounts would not like, then you should engage them to come up with an appropriate solution. – John Rotenstein Apr 02 '19 at 06:51
  • Oh, I have success! Calling `aws sts assume-role --profile myprofile ...` gave credentials, which I was then able to set as environment variables, achieving what I wanted. Thank you for your help! – Steve Bennett Apr 02 '19 at 06:55

3 Answers3

19

Your initial call is using an IAM role. It is attempting to call get-session-token, which will return some temporary credentials.

However, when an IAM Role is used, the AWS CLI automatically uses your normal credentials to call assume-role, thereby receiving back a set of temporary credentials. It is not possible to call get-session-token with temporary credentials (from the role). This is why the error message says Cannot call GetSessionToken with session credentials.

If you wish to call get-session-token, you will need to do it with your normal credentials, as you have done in your second example.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 2
    "normal credentials" vs "mfa creds" ? Can you please expend the explanation and add an example (including the commands) ? – Nir Alfasi Mar 18 '20 at 11:41
  • Dealing with the same problem I would say that "normal credentials" are in `otherprofile` or from 2nd comment looks like `default` profile, while profile with _assumed_ role is `myprofile`. – Vladimir Vukanac Aug 30 '20 at 21:03
  • 1
    Documentation: Any AWS SDK will give you details on the method. In this case Python's boto3 which is what aws cli uses includes the remarks where it states that it only supports LONG TERM credentials and also how to handle MFA; https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts.html#STS.Client.get_session_token – eco Aug 08 '21 at 05:00
1

To retrieve the access id, access key and session token from a profile you can use aws configure.

E.g.

aws configure get aws_access_key_id --profile myprofile
aws configure get aws_secret_access_key --profile myprofile
aws configure get aws_session_token --profile myprofile
disco crazy
  • 31,313
  • 12
  • 80
  • 83
0

+1 to this solution https://stackoverflow.com/a/55468397/6925966

!NB The GetSessionToken operation must be called by using the long-term AWS security credentials of the AWS account root user or an IAM user.

Try to set up:

  1. https://ohmyz.sh/

2)https://github.com/joepjoosten/aws-cli-mfa-oh-my-zsh#using-oh-my-zsh-aws-mfa-plugin

create aws user one more time if aws-mfa can't find any !!!

Finally in my case in ~/.aws/credentials I had something like

[username]

aws_access_key_id=AAAAAAAAAAAAAAAAAA76 aws_secret_access_key=IjfIjfIjfIjfIjfIjfIjfioksdf43sdf23rsssss

[default]

aws_access_key_id=AAAAAAAAAAAAAAAAAA76 aws_secret_access_key=IjfIjfIjfIjfIjfIjfIjfioksdf43sdf23rsssss

Then all aws cli commands should works.

m1mik
  • 11
  • 4