堆栈内存溢出
  简体   繁体   English

aws sts get-session-token ... --token-code ... 失败并显示 InvalidClientTokenId,但 MFA 控制台登录工作

[英]aws sts get-session-token … --token-code … fails with InvalidClientTokenId, but MFA console login working

 原文  2020-07-12 10:28:43       amazon-web-services/ aws-cli/ multi-factor-authentication

问题描述

I am trying to retrieve session token on the AWS CLI like so:我正在尝试在 AWS CLI 上检索 session 令牌,如下所示:

aws sts get-session-token --serial-number arn-string --token-code mfacode

where在哪里

  • arn-string is copied from the IAM management console, security credentials for the assigned MFA device,format like arn:aws:iam:<number>:mfa/<name> arn-string从 IAM 管理控制台复制,分配的 MFA 设备的安全凭证,格式如arn:aws:iam:<number>:mfa/<name>
  • mfacode is taken from the registered virtual mfa device mfacode取自已注册的虚拟 mfa 设备

error:错误:

An error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid.

However, I use that MFA device to login to the console in the browser just fine但是,我使用该 MFA 设备在浏览器中登录控制台就好了

I have only a default profile in my ~/.aws/, but I don't see how this would have any influence.我的 ~/.aws/ 中只有一个默认配置文件,但我看不出这会产生什么影响。

tried this:试过这个:

  1. try multiple time to ensure no mfa flip-over has happened多次尝试以确保没有发生 mfa 翻转
  2. delete MFA device assignment and reassign device -- same error删除 MFA 设备分配并重新分配设备——同样的错误
  3. ommitting --token-code in hope to have it prompt me for the MFA device token -- same error省略--token-code希望它提示我输入 MFA 设备令牌 -- 同样的错误
  4. using the arn:aws:iam:<number>:user/<name> -- same error as can be expected since the aws get-session-id help clearly states it needs to be the arn of the mfa device使用arn:aws:iam:<number>:user/<name> - 与预期相同的错误,因为aws get-session-id help明确指出它需要是 mfa 设备的 arn

I figure this has to do with arn-string rather than the token, but what?我认为这与 arn-string 而不是令牌有关,但是什么? Any idea on what causes this problem most welcome.任何有关导致此问题的原因的想法都非常受欢迎。

Regards, Olaf问候, 奥拉夫

1 个解决方案

解决方案1
 3 已采纳  2020-07-14 17:00:25

Solved.解决了。 maafk 's comment nails it down. maafk的评论明确了这一点。 For the records and to the next poor soul stumbling into this problem:对于记录和下一个遇到这个问题的可怜的灵魂:

The profile used must have the mfa_serial entry.使用的配置文件必须具有mfa_serial条目。 In my case added the arn-string for the mfa-device to my local default profile in ~/.aws/config like so:在我的情况下,将 mfa-device 的arn-string添加到~/.aws/config中的本地默认配置文件中,如下所示:

[default]

region = eu-central-1

mfa_serial = arn:aws:iam:<number>:mfa/<name>

This string can be found in the console, IAM service under the user, security credentials.此字符串可在控制台、用户下的 IAM 服务、安全凭证中找到。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 aws sts get-session-token与配置文件失败 - aws sts get-session-token fails with profile 有没有办法用脚本生成AWS MFA令牌代码? - Is there a way to generate aws mfa token-code with a script? AWS STS 承担角色 - InvalidClientTokenId:请求中包含的安全令牌无效 - AWS STS Assume Role - InvalidClientTokenId: The security token included in the request is invalid AWS STS 承担角色:获取会话令牌 - AWS STS Assume Role: Get session token 使用带有MFA代码/令牌的aws命令行界面登录问题 - login issue with aws command line interface with MFA code/token 使用STS凭证授权AWS-无需会话令牌 - Authorise AWS with STS credentials - without session token Aws-vault:无法获取凭据 - InvalidClientTokenId:请求中包含的安全令牌无效 - Aws-vault: Failed to get credentials - InvalidClientTokenId: The security token included in the request is invalid Cloud9 上的 AWS copilot InvalidClientTokenId:请求中包含的安全令牌无效(状态代码:403) - AWS copilot on Cloud9 InvalidClientTokenId: The security token included in the request is invalid (status code: 403) InvalidClientTokenId:请求中包含的安全令牌无效。 状态码:403 - InvalidClientTokenId: The security token included in the request is invalid. status code: 403 使用 aws STS 获取临时凭证:Web 身份令牌在哪里? - Using aws STS to get temporary credentials: Where is the web identity token?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM