Assuming A Role With MFA — wrong error message

When assuming a role it might say your token code is invalid when that’s not the problem

Teri Radichel
Bugs That Bite
Published in
2 min readOct 29, 2024

--

I was just troubleshooting why role assumption with MFA was not working with this command:

aws sts assume-role  --serial-number arn:aws:iam::[account 1]:mfa/[user] \
--role-session-name [session name] \
--role-arn arn:aws:iam::[account 2]:role/[role name] \
--profile [aws cli profile] \
--region [aws region] \
--duration-seconds 900 \
--external-id [external id] \
--token-code [mfa app code]

I got an error telling me the token code was invalid but in fact that was not the problem. The problem was that I had rotated the credentials in the AWS console and forgot to update them from the profile above in my AWS CLI configuration.

Improving the testing would help here. Remove each element one at a time and make sure you get the correct error message. In this case it should be telling me that the credentials are invalid, not the token code. I believe it should be possible to tell that the token code is associated with the ARN used in the command and that the credentials are not active or associated with that MFA ARN. Perhaps it could tell you that the MFA ARN and the credentials are not associated.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author
: Cybersecurity Books
⭐️

--

--

Bugs That Bite
Bugs That Bite

Published in Bugs That Bite

Helping make the world a better place, one error message at a time.

Teri Radichel
Teri Radichel

Written by Teri Radichel

CEO 2nd Sight Lab | Penetration Testing & Assessments | AWS Hero | Masters of Infosec & Software Engineering | GSE 240 etc | IANS | SANS Difference Makers Award

No responses yet