aws sts get-session-token fails with profile

Steve Bennett picture Steve Bennett · Apr 2, 2019 · Viewed 8.9k times · Source

I'm trying to get a session token in order to set environment variables in order to use a tool which uploads to S3 but doesn't directly support AWS profiles.

aws sts get-session-token --profile myprofile
Enter MFA code for arn:aws:iam::1234567890:mfa/myid:

An error occurred (AccessDenied) when calling the GetSessionToken operation: 
Cannot call GetSessionToken with session credentials

Subsequent calls skip the MFA check, indicating that it passed ok.

Running get-session-token without the --profile parameter works fine:

$ aws sts get-session-token
{
    "Credentials": {
...

What could be going wrong? Am I even going about this the right way?

The relevant part of my ~/.aws/config:

[profile otherprofile]
mfa_serial=arn:aws:iam::xxx:mfa/myid
aws_access_key_id=xxx
aws_secret_access_key=xxx

[profile myprofile]
source_profile=otherprofile
region=ap-southeast-2
role_arn=arn:aws:iam::xxx:role/owner
mfa_serial=arn:aws:iam::xxx:mfa/myid

Answer

John Rotenstein picture John Rotenstein · Apr 2, 2019

Your initial call is using an IAM role. It is attempting to call get-session-token, which will return some temporary credentials.

However, when an IAM Role is used, the AWS CLI automatically uses your normal credentials to call assume-role, thereby receiving back a set of temporary credentials. It is not possible to call get-session-token with temporary credentials (from the role). This is why the error message says Cannot call GetSessionToken with session credentials.

If you wish to call get-session-token, you will need to do it with your normal credentials, as you have done in your second example.