0

I am trying to refresh my session token under IAM profile with MFA authentification:

aws sts get-session-token
--duration-seconds $DURATION
--serial-number $AWS_SERIAL
--token-code $AWS_MFA  ~/.aws/cli/cache/session.json

But, I got this error:

An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

My ARN is as below:

  arn;aws:sts;XXXXX:assumed-role/YYYYYY/botoscore-session-ZZZZ

I looked over internet and were not able to find correct solution. Is there any direction that I should look.

quantCode
  • 495
  • 1
  • 5
  • 12
  • AWS STS temporary credentials cannot be extended or refreshed beyond the original specified interval. You need to create a new set of credentials. – Arpit Jain Apr 22 '23 at 14:40
  • Any AWS CLI example ? – quantCode Apr 22 '23 at 14:54
  • Example of generating new sts token? – Arpit Jain Apr 22 '23 at 14:57
  • 1
    The linked duplicate Question explains your situation. Basically, you can't call `get-session-token` from an IAM Role. You can only call it when using IAM User credentials. From [get-session-token — AWS CLI Command Reference](https://awscli.amazonaws.com/v2/documentation/api/2.1.30/reference/sts/get-session-token.html): _"The `GetSessionToken` operation must be called by using the long-term AWS security credentials of the AWS account **root user or an IAM user.**"_ – John Rotenstein Apr 22 '23 at 23:01
  • 1
    Did you originally run `get-session-token` against IAM User credentials, and now you want a new set of temporary credentials because the first ones have expired? If so, make sure you run `get-session-token` against the IAM User credentials, not the temporary credentials. I suspect that you might have taken the result of the first `get-session-token` and stored them as Environment Variables? If so, then the AWS CLI is using them instead of your IAM User credentials. You should remove those Environment Credentials before requesting new temporary credentials. – John Rotenstein Apr 23 '23 at 01:03

1 Answers1

0

From AWS documentation:-

Temporary credentials expire after a specified interval. After temporary credentials expire, any calls that you make with those credentials will fail, so you must generate a new set of temporary credentials. Temporary credentials cannot be extended or refreshed beyond the originally specified interval.

References:-

Hope it helps.

Arpit Jain
  • 1,599
  • 9
  • 23