AWS CLI Setup with MFA (2FA) for Developer Machines

This document describes how to configure AWS CLI with Multi-Factor Authentication (MFA) using IAM roles and a dedicated CLI user.

---

1. Create the DevelopersPermission Policy

1. Go to AWS Console → IAM → Policies
2. Click Create policy
3. Switch to the JSON tab and paste:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountSummary",
                "iam:ListAccountAliases",
                "iam:GetUser",
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:ListMFADevices",
                "iam:GetLoginProfile",
                "iam:ListUsers",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

You can extend this policy with additional permissions as needed, for example access to services like EC2, S3, or other AWS resources depending on your use case.

1. Click Next
2. Provide a name: DevelopersPermission
3. Click Create policy

---

2. Create the developers-role Role

1. Go to IAM → Roles → Create role
2. Select Custom trust policy
3. Paste:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account-ID>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

Replace <Account-ID> with your AWS account ID.

1. Attach DevelopersPermission policy
2. Name: developers-role
3. Create role

---

3. Create CLI User: dev-privat

Create user in IAM.

Permissions

Attach IAMUserChangePassword policy.

MFA

Assign MFA device and note ARN:
e.g. arn:aws:iam::12345678:mfa/dev-privat

Access Keys

Create and store:
aws_access_key_id
aws_secret_access_key

---

4. Create Developers Group

Add user to group and attach inline policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<Account-ID>:role/developers-role",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:ListMFADevices"
            ],
            "Resource": "*"
        }
    ]
}

Replace <Account-ID> with your AWS account ID.

---

5. Configure AWS CLI

Run:
aws configure --profile private

Edit ~/.aws/credentials:

[privat-base]
aws_access_key_id = <your access_key_id>
aws_secret_access_key = <your secret_access_key>

Replace <your access_key_id> and <your secret_access_key> with your access key.
Ensure that the section name privat-base, not privat in this file.

Edit ~/.aws/config:

[default]
region = eu-central-1
output = json

[profile privat]
role_arn = arn:aws:iam::<Account-ID>:role/developers-role
mfa_serial = arn:aws:iam::<Account-ID>:mfa/dev-privat
duration_seconds = 3600
source_profile = privat-base
region = eu-central-1
output = json

[profile handsonlab]
region = us-east-1
output = json

Replace <Account-ID> with your AWS account ID.

---

Usage

aws sts get-caller-identity --profile privat

You will be prompted for your MFA code.