CODEWITHSUNDEEP
amazon-web-servicesaws-sts
Steve Bennett
Steve Bennett

Reputation: 126205

aws sts get-session-token fails with profile

I'm trying to get a session token in order to set environment variables in order to use a tool which uploads to S3 but doesn't directly support AWS profiles.

aws sts get-session-token --profile myprofile
Enter MFA code for arn:aws:iam::1234567890:mfa/myid:

An error occurred (AccessDenied) when calling the GetSessionToken operation: 
Cannot call GetSessionToken with session credentials

Subsequent calls skip the MFA check, indicating that it passed ok.

Running get-session-token without the --profile parameter works fine:

$ aws sts get-session-token
{
    "Credentials": {
...

What could be going wrong? Am I even going about this the right way?

The relevant part of my ~/.aws/config:

[profile otherprofile]
mfa_serial=arn:aws:iam::xxx:mfa/myid
aws_access_key_id=xxx
aws_secret_access_key=xxx

[profile myprofile]
source_profile=otherprofile
region=ap-southeast-2
role_arn=arn:aws:iam::xxx:role/owner
mfa_serial=arn:aws:iam::xxx:mfa/myid

Upvotes: 26

Views: 40661

Answers (4)

Balaji Sukumaran
Balaji Sukumaran

Reputation: 79

I have faced a similar issue, I was supposed to generate a temporary access token for aws resources and I was trying to generate the same using aws sts get-session-token from the aws cli and kept getting the error "An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials".

Seems like when we open the aws cli from the portal it does'nt automatically mapped to your login cred. It creates a temporary session in itself and following which we tried generate a session token with temporary session access hence this error.

In order to generate a session token you have make sure that you have long term credential(root/IAM User with sts access) which can be done by executing the aws configure in aws cli with your current access and secret key once done proceed with aws sts get-session-token you should be able to generate.

Upvotes: 2

m1mik
m1mik

Reputation: 31

+1 to this solution https://stackoverflow.com/a/55468397/6925966

!NB The GetSessionToken operation must be called by using the long-term AWS security credentials of the AWS account root user or an IAM user.

Try to set up:

  1. https://ohmyz.sh/

2)https://github.com/joepjoosten/aws-cli-mfa-oh-my-zsh#using-oh-my-zsh-aws-mfa-plugin

create aws user one more time if aws-mfa can't find any !!!

Finally in my case in ~/.aws/credentials I had something like

[username]

aws_access_key_id=AAAAAAAAAAAAAAAAAA76 aws_secret_access_key=IjfIjfIjfIjfIjfIjfIjfioksdf43sdf23rsssss

[default]

aws_access_key_id=AAAAAAAAAAAAAAAAAA76 aws_secret_access_key=IjfIjfIjfIjfIjfIjfIjfioksdf43sdf23rsssss

Then all aws cli commands should works.

Upvotes: 1

H6_
H6_

Reputation: 32808

To retrieve the access id, access key and session token from a profile you can use aws configure.

E.g.

aws configure get aws_access_key_id --profile myprofile
aws configure get aws_secret_access_key --profile myprofile
aws configure get aws_session_token --profile myprofile

Upvotes: -1

John Rotenstein
John Rotenstein

Reputation: 269340

Your initial call is using an IAM role. It is attempting to call get-session-token, which will return some temporary credentials.

However, when an IAM Role is used, the AWS CLI automatically uses your normal credentials to call assume-role, thereby receiving back a set of temporary credentials. It is not possible to call get-session-token with temporary credentials (from the role). This is why the error message says Cannot call GetSessionToken with session credentials.

If you wish to call get-session-token, you will need to do it with your normal credentials, as you have done in your second example.

Upvotes: 22

Related Questions