The latest articles on DEV Community by Gabor Matyi (@matyig). https://dev.to/matyig https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3457623%2F5922bc71-5e74-42d9-95a6-4d1c83675e82.png https://dev.to/matyig en Gabor Matyi Wed, 08 Apr 2026 14:52:20 +0000 https://dev.to/matyig/aws-cli-setup-with-mfa-2fa-for-developer-machines-2di9 https://dev.to/matyig/aws-cli-setup-with-mfa-2fa-for-developer-machines-2di9 <p>This document describes how to configure AWS CLI with Multi-Factor Authentication (MFA) using IAM roles and a dedicated CLI user.</p> <h2> 1. Create the DevelopersPermission Policy </h2> <ol> <li>Go to AWS Console → IAM → Policies</li> <li>Click Create policy</li> <li>Switch to the JSON tab and paste: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam:GetAccountSummary"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:ListAccountAliases"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:GetUser"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:CreateAccessKey"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:DeleteAccessKey"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:ListAccessKeys"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:UpdateAccessKey"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:GetAccessKeyLastUsed"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:ListMFADevices"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:GetLoginProfile"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:ListUsers"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:ListVirtualMFADevices"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::*:user/${aws:username}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You can extend this policy with additional permissions as needed, for example access to services like EC2, S3, or other AWS resources depending on your use case.</p> <ol> <li>Click Next</li> <li>Provide a name: DevelopersPermission</li> <li>Click Create policy</li> </ol> <h2> 2. Create the developers-role Role </h2> <ol> <li>Go to IAM → Roles → Create role</li> <li>Select Custom trust policy</li> <li>Paste: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;Account-ID&gt;:root"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:MultiFactorAuthPresent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Replace <code>&lt;Account-ID&gt;</code> with your AWS account ID.</p> <ol> <li>Attach DevelopersPermission policy</li> <li>Name: developers-role</li> <li>Create role</li> </ol> <h2> 3. Create CLI User: dev-privat </h2> <p>Create user in IAM.</p> <h3> Permissions </h3> <p>Attach IAMUserChangePassword policy.</p> <h3> MFA </h3> <p>Assign MFA device and note ARN:<br> e.g. arn:aws:iam::12345678:mfa/dev-privat</p> <h3> Access Keys </h3> <p>Create and store:<br> aws_access_key_id<br> aws_secret_access_key</p> <h2> 4. Create Developers Group </h2> <p>Add user to group and attach inline policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;Account-ID&gt;:role/developers-role"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:MultiFactorAuthPresent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam:GetUser"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:ListMFADevices"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Replace <code>&lt;Account-ID&gt;</code> with your AWS account ID.</p> <h2> 5. Configure AWS CLI </h2> <p>Run:<br> aws configure --profile private</p> <p>Edit ~/.aws/credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[privat-base]</span> <span class="py">aws_access_key_id</span> <span class="p">=</span> <span class="s">&lt;your access_key_id&gt;</span> <span class="py">aws_secret_access_key</span> <span class="p">=</span> <span class="s">&lt;your secret_access_key&gt;</span> </code></pre> </div> <p>Replace <code>&lt;your access_key_id&gt;</code> and <code>&lt;your secret_access_key&gt;</code> with your access key.<br> Ensure that the section name <code>privat-base</code>, not <code>privat</code> in this file.</p> <p>Edit ~/.aws/config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[default]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">eu-central-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile privat]</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::&lt;Account-ID&gt;:role/developers-role</span> <span class="py">mfa_serial</span> <span class="p">=</span> <span class="s">arn:aws:iam::&lt;Account-ID&gt;:mfa/dev-privat</span> <span class="py">duration_seconds</span> <span class="p">=</span> <span class="s">3600</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">privat-base</span> <span class="py">region</span> <span class="p">=</span> <span class="s">eu-central-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile handsonlab]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> </code></pre> </div> <p>Replace <code>&lt;Account-ID&gt;</code> with your AWS account ID.</p> <h2> Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity <span class="nt">--profile</span> privat </code></pre> </div> <p>You will be prompted for your MFA code.</p> aws cli security tutorial