Assuming A Role With MFA — wrong error message
When assuming a role it might say your token code is invalid when that’s not the problem
I was just troubleshooting why role assumption with MFA was not working with this command:
aws sts assume-role --serial-number arn:aws:iam::[account 1]:mfa/[user] \
--role-session-name [session name] \
--role-arn arn:aws:iam::[account 2]:role/[role name] \
--profile [aws cli profile] \
--region [aws region] \
--duration-seconds 900 \
--external-id [external id] \
--token-code [mfa app code]
I got an error telling me the token code was invalid but in fact that was not the problem. The problem was that I had rotated the credentials in the AWS console and forgot to update them from the profile above in my AWS CLI configuration.
Improving the testing would help here. Remove each element one at a time and make sure you get the correct error message. In this case it should be telling me that the credentials are invalid, not the token code. I believe it should be possible to tell that the token code is associated with the ARN used in the command and that the credentials are not active or associated with that MFA ARN. Perhaps it could tell you that the MFA ARN and the credentials are not associated.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️…