Connecting to AWS Console and CLI with an IAM user

Edit on GitHub

This document describes how to access the AWS Management Console and configure AWS CLI access as an IAM user with Multi-Factor Authentication (MFA) enforced.

Prerequisites

Step 1: Sign in to the AWS Management Console

  1. In your browser, open the sign-in URL provided by your administrator.
Sign-in URL

The sign-in URL contains the ID of the account you are signing into. The pattern is https://{AWS_ACCOUNT_ID}.signin.aws.amazon.com/console/. Alternatively, you can sign in at the general sign-in endpoint by entering the account ID manually.

The sign-in page opens with the Account ID (12 digits) or account alias field entered automatically.

  1. Enter your IAM user name and Password.
  2. Select Sign in.
  3. When prompted, enter the MFA code from your authenticator application.

You are now signed in to the AWS Management Console.

Step 2: Generate access keys

Access keys are the long-term static credentials used to configure AWS CLI. Generate them once and store them securely.

Access key scope
  • You can only generate an access key for your own account.
  • Access keys are intended for local development and personal AWS CLI access only. Do not use them for automations.
  1. In the AWS Management Console navigation bar, click your username > My Security Credentials.
  2. On the Security credentials page, click Create access key.
  3. On the Access key best practices & alternatives page, select Command Line Interface (CLI), then click Next. The Create access key window opens. Your access key has been generated.
  4. Click Download .csv file to save the credentials.
  5. Optional: To view the secret key in this window, click Show secret access key.

Store the downloaded credentials securely. The secret access key is shown only once.

Step 3: Configure static credentials in your terminal

Because MFA is enforced, you need temporary session credentials to use the AWS CLI. Static credentials alone are only used to request those temporary credentials.

Start by clearing any previously exported credentials to ensure no stale values are used:

unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

Then export your static access key pair:

export AWS_ACCESS_KEY_ID="{YOUR_ACCESS_KEY_ID}"
export AWS_SECRET_ACCESS_KEY="{YOUR_SECRET_ACCESS_KEY}"

Replace {YOUR_ACCESS_KEY_ID} and {YOUR_SECRET_ACCESS_KEY} with the values from the .csv file you downloaded in Step 2.

Step 4: Find your MFA device ARN

To retrieve your MFA device serial number, use the AWS CLI:

aws iam list-mfa-devices

The output contains a SerialNumber field with a value in the following format:

arn:aws:iam::{ACCOUNT_ID}:mfa/{DEVICE_NAME}

Note this value — you need it in the next step.

Step 5: Generate temporary session credentials

Use one of the following options, replacing the placeholders with your values:

Option A: Step by step

  1. Request temporary credentials from AWS STS and save the output to a variable:
temp_creds=$(aws sts get-session-token \
  --serial-number {MFA_DEVICE_ARN} \
  --token-code {MFA_TOKEN_CODE} \
  --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
  --output text)
  1. Read the three values from the output into separate variables:
read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< "$temp_creds"
  1. Export them to your terminal session:
export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
  1. Clean up the temporary variable:
unset temp_creds

Option B: Single command

Run all of the above as a single command:

temp_creds=$(aws sts get-session-token \
  --serial-number {MFA_DEVICE_ARN} \
  --token-code {MFA_TOKEN_CODE} \
  --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
  --output text) \
&& read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< "$temp_creds" \
&& export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \
&& unset temp_creds
Placeholder Description
{MFA_DEVICE_ARN} The SerialNumber from Step 4.
{MFA_TOKEN_CODE} The current 6-digit code from your authenticator application.

Example:

temp_creds=$(aws sts get-session-token \
  --serial-number arn:aws:iam::123456789012:mfa/john.doe \
  --token-code 521288 \
  --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
  --output text) \
&& read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< "$temp_creds" \
&& export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \
&& unset temp_creds

The command fetches temporary credentials from AWS STS, reads the three values into variables, and exports them — overriding the static credentials in your current terminal session.

Session duration

Temporary credentials are valid for limited timeframe. When they expire, repeat Step 3 and Step 5 to obtain new ones. You can customize the duration using the --duration-seconds parameter (minimum: 900 seconds).

You can now use the AWS CLI to access your environment:

aws ec2 describe-instances

Next steps