A command line utility to generate temporary AWS credentials using virtual MFA devices. Credentials can be exported to environment variables, used in a new shell session, or saved to AWS credentials file.
- Supports MFA authentication with virtual MFA devices (hardware MFA devices supported, but FIDO security keys are not supported)
- Interactive MFA code prompting - if no code is provided, you'll be prompted to enter it
- Select any profile from AWS credentials file
- Automatic MFA device selection - reads
mfa_serialfrom AWS profile configuration (~/.aws/config or ~/.aws/credentials), with fallback to automatic device detection - Generate temporary credentials using AWS STS
- Enhanced error reporting with detailed error messages
- Atomic credentials file updates - prevents file corruption during concurrent access
- Multiple output options:
- Export as environment variables
- Launch new shell with credentials
- Update/create profiles in AWS credentials file
GitHub Release page provides binaries for:
- Windows
- Linux
- macOS
The tool can automatically select your MFA device by reading the mfa_serial setting from your AWS profile configuration. This eliminates the need to specify the --arn parameter each time.
[profile dev]
region = us-west-2
mfa_serial = arn:aws:iam::123456789012:mfa/username
[profile prod]
region = eu-west-1
mfa_serial = arn:aws:iam::123456789012:mfa/prod-user[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
mfa_serial = arn:aws:iam::123456789012:mfa/username
[dev]
aws_access_key_id = AKIAI44QH8DHBEXAMPLE
aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
mfa_serial = GAHT12345678Supported mfa_serial formats:
- Virtual MFA devices:
arn:aws:iam::123456789012:mfa/username - Hardware MFA devices:
GAHT12345678(serial number)
Precedence: Config file (/.aws/config) takes precedence over credentials file (/.aws/credentials).
If you don't provide the --code argument, you'll be prompted to enter it interactively:
# Interactive mode - you'll be prompted for the MFA code
aws-mfa-session --export
Enter MFA code: 123456When you have mfa_serial configured in your AWS profile, the tool automatically selects the MFA device:
# Uses mfa_serial from the default profile configuration
aws-mfa-session --code 123456 --export
# Uses mfa_serial from the dev profile configuration
aws-mfa-session --profile dev --code 123456 --exportGenerate session credentials with default profile, and print the credentials as exported environment variables:
aws-mfa-session --code 123456 --exportCould be used to inject variables into the current shell:
eval $(aws-mfa-session --code 464899 --export)Generate session credentials with default profile and MFA ARN:
aws-mfa-session --arn arn:aws:iam::012345678910:mfa/username --code 123456 --exportGenerate session credentials with default profile and non-default region:
aws-mfa-session --region us-east-2 --code 123456 --exportGenerate session credentials with default profile, and run a new shell with exported environment variables:
aws-mfa-session --code 123456 --shellGenerate session credentials with default profile, and create or update a new profile:
aws-mfa-session --update-profile mfa-session --code 123456Generate session credentials with defined profile, and create or update a new profile:
aws-mfa-session --profile dev --update-profile mfa-session --code 123456Generate session credentials with defined profile and non-default credential file, and create or update a new profile:
aws-mfa-session --credentials-file ~/.aws/credentials2 --profile dev --update-profile mfa-session --code 123456Generate session credentials with custom duration (2 hours):
aws-mfa-session --code 123456 --duration 7200 --exportGenerate session credentials with maximum duration (just under 36 hours):
aws-mfa-session --code 123456 --duration 129599 --exportThe tool automatically detects your shell and formats output appropriately:
Bash/Zsh/Sh output:
export AWS_ACCESS_KEY_ID='AKIAIOSFODNN7EXAMPLE'
export AWS_SECRET_ACCESS_KEY='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
export AWS_SESSION_TOKEN='AQoEXAMPLE...'
export PS1='AWS:user@123456789012 \$ 'Fish shell output:
set -x AWS_ACCESS_KEY_ID "AKIAIOSFODNN7EXAMPLE"
set -x AWS_SECRET_ACCESS_KEY "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
set -x AWS_SESSION_TOKEN "AQoEXAMPLE..."
set -x PS1 "AWS:user@123456789012 \$ "CMD output:
set "AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE"
set "AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
set "AWS_SESSION_TOKEN=AQoEXAMPLE..."
set "PROMPT=AWS:user@123456789012 \$ "PowerShell output:
Set-Variable -Name "AWS_ACCESS_KEY_ID" -Value "AKIAIOSFODNN7EXAMPLE"
Set-Variable -Name "AWS_SECRET_ACCESS_KEY" -Value "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
Set-Variable -Name "AWS_SESSION_TOKEN" -Value "AQoEXAMPLE..."
function prompt { "AWS:user@123456789012 \$ " }Download pre-built binaries from the GitHub Releases page for:
- Windows
- Linux
- macOS
Requirements: Rust and Cargo
# Install latest from crates.io
cargo install aws-mfa-session
# Install latest from git
cargo install --git https://github.com/AnderEnder/aws-mfa-session
# Build from local source
git clone https://github.com/AnderEnder/aws-mfa-session
cd aws-mfa-session
cargo build --release
# Install from local source
cargo install --path .Usage: aws-mfa-session [OPTIONS]
Options:
-p, --profile <PROFILE>
AWS credential profile to use. AWS_PROFILE is used by default
-f, --credentials-file <CREDENTIALS_FILE>
AWS credentials file location to use. AWS_SHARED_CREDENTIALS_FILE is used if not defined
-r, --region <REGION>
AWS region. AWS_REGION is used if not defined
-c, --code <CODE>
MFA code from MFA resource
-a, --arn <ARN>
MFA device ARN from user profile. It could be detected automatically
-d, --duration <DURATION>
Session duration in seconds (900-129600) [default: 3600]
-s, --shell
Run shell with AWS credentials as environment variables
-e, --export
Print(export) AWS credentials as environment variables
-u, --update-profile <SESSION_PROFILE>
Update AWS credential profile with temporary session credentials
-h, --help
Print help
- Input validation: MFA codes must be exactly 6 digits
- Duration validation: Session duration is validated to be within AWS limits (15 minutes to 36 hours)
- Atomic file operations: Credentials file updates are atomic to prevent corruption
- Permission preservation: Original file permissions are maintained when updating credentials
- Shell injection protection: All shell output is properly escaped for security
- Multi-shell support: Supports Bash, Zsh, Fish, Sh, CMD, and PowerShell with proper prompt setting
The application automatically detects your shell and formats output accordingly:
- Unix/Linux shells: Bash, Zsh, Sh, Fish
- Sets
AWS_*environment variables andPS1prompt - Proper quote escaping for special characters
- Sets
- Windows shells: CMD, PowerShell
- CMD: Uses
setcommands andPROMPTvariable - PowerShell: Uses
Set-Variableand custompromptfunction - Case-insensitive shell detection
- CMD: Uses
The application provides detailed error messages with enhanced reporting using miette:
- Input validation errors: Invalid MFA codes, duration out of bounds
- AWS service errors: Authentication failures, missing MFA devices, STS token errors
- File operation errors: Permission issues, file corruption prevention
- Network errors: Connectivity issues, timeout handling
- Interactive errors: TTY detection for MFA code prompting
All errors include helpful context and suggestions for resolution.