How to assume a role on target account from login account using MFA Code?

Step 1: Run the following command and get the temporary credentials.

aws sts assume-role \
--role-arn arn:aws:iam::<TargetAccountId>:role/<RoleName> \
--role-session-name <RoleName> \
--serial-number arn:aws:iam::<LoginAccountId>:mfa/<LoginName> \
--token-code <6DigitMFACode>

Step 2: The temporary credentials include the following:

AccessKeyId
SecretAccessKey
SessionToken
Expiration date and time (this token is valid for 1 hour by default)

Copy these values and create a profile in %USERPROFILE%\.aws\credentials file as follows:

[PROFILE_NAME]

aws_access_key_id = <AccessKeyId>
aws_secret_access_key = <SecretAccessKey>
aws_session_token = <SessionToken>

Step 3: You can now use this profile to assume <RoleName> role in <TargetAccountId> account.

AWS - Error - An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired

Error: An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired. Reason: It occurred when I ran a MAKE command with a profile having expired token (security credentials) Fix: Generate new security credentials (aws sts assume-role) and run the command again

AWS CloudTrail

AWS CloudTrail is an API monitoring service. It records activities in your account. We can log those activities in S3 bucket It gives visibility to user activities e.g., if you want to know who created an EC2 instance, you can get the answer using CloudTrail Using CloudTrail, you can track changes to AWS resources in your accounts

Ayyappu MK

Search This Blog