How to use AWS CLI to generate SESSION_TOKEN

by Kurious Fox

Setting things up for the first time may not be an easy task. If you are unlucky, you may encounter this error

An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.

So, let’s set up AWS CLI to generate Session Token for the first time!

First, make sure you have the AWS CLI installed on your system; you have set up Multi-Factor Authentication (MFA) and configured your IAM user credentials.

First, you need to configure AWS using

aws configure

Put in the AccessKeyId and SecretAccessKey. For default region name, here are some of the popular default region names in the AWS CLI, based on their geographic locations and frequent usage:

  • us-east-1: US East (N. Virginia) – One of the most popular regions, often the default for many services.
  • us-west-2: US West (Oregon) – Commonly used for resources in the western United States.
  • eu-west-1: EU (Ireland) – A popular choice in Europe due to its central location.
  • eu-north-1: EU (Stockholm) – Close to Nordic countries like Norway and Sweden.
  • ap-southeast-1: Asia Pacific (Singapore) – A widely used region in Southeast Asia.
  • ap-northeast-1: Asia Pacific (Tokyo) – Popular in East Asia, especially for services in Japan.
  • sa-east-1: South America (São Paulo) – The main region for South America.

These regions are selected based on proximity to users, low latency, and regulatory requirements. When choosing a default region, you typically pick the one nearest to your location or your application’s audience to ensure optimal performance.

Next, the default output format can be text, json, table, for example.

To generate a SESSION_TOKEN using the AWS CLI, you can use the get-session-token command provided by the AWS Security Token Service (STS):

  • Use the following command to generate temporary credentials, including the
    SESSION_TOKEN: aws sts get-session-token --duration-seconds <duration> --serial-number <MFA_device_serial_number> --token-code <MFA_code>
  • Replace the placeholders:
    • <duration>: Specify the duration (in seconds) for which the credentials should be valid (e.g., 900 for 15 minutes).
    • <MFA_device_serial_number>: The serial number or ARN of your MFA device. It can look something like arn:aws:iam::123456789012:mfa/your-user-name. You can find it by login in AWS in your browser and going into Identity and Access Management (IAM) >> My security credentials and look at the section Multi-factor authentication (MFA) (1).
    • <MFA_code>: An MFA code is a unique, time-sensitive code generated by your Multi-Factor Authentication (MFA) device or app as part of the login verification process. It’s usually a six-digit number that is refreshed every 30 seconds, ensuring enhanced security.
  1. Output:
    • The command will return a JSON response containing the AccessKeyId, SecretAccessKey, and SessionToken. For example: 
{
  "Credentials": {
    "AccessKeyId": "ASIA...",
    "SecretAccessKey": "wJalr...",
    "SessionToken": "AQoEXAMPLE...",
    "Expiration": "2025-04-07T12:00:00+00:00"
  }
}
  1. Use the credentials:
    • You can use these temporary credentials to make API calls or interact with AWS services.

Discover more from Science Comics

Subscribe to get the latest posts sent to your email.

Related Posts

Leave a Reply

error: Content is protected !!