https://pulumi.com logo
#aws
Title
# aws
c

clever-jackal-65347

07/21/2023, 12:28 AM
hi there, hopefully a quick one for some of you out there. I’m trying to import an existing Role into my stack but getting this error. It looks like it’s due to the aws profile not using MFA but I can’t seem to figure out how to enable MFA on cli. Other resources can be imported successfully. Can someone pls point me to the right direction? Thanks 🙏
Copy code
* reading IAM Role (hxxxxxx): InvalidClientTokenId: The security token included in the request is invalid
l

little-cartoon-10569

07/21/2023, 2:20 AM
You don't enable MFA on CLI: you use MFA to get a new access key ID, secret key and session token. Then you use those in the CLI. Pulumi isn't involved in that part.
You can use the AWS CLI to get the new values, and then set them into a profile or just the usual environment variables, and Pulumi will use them.
You can use
aws sts get-session-token
to get the values. Docs are here: https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html
c

clever-jackal-65347

07/21/2023, 3:01 AM
Thanks @little-cartoon-10569 for the reply. I understand that this is not related to Pulumi. The issue with my aws cli is I didn’t need to supply MFA to get a session token and I was able to use this token to run Pulumi and import other resources. However I could not do the same when importing a role (getting the error above). I googled it and it looks like the issue is I didn’t enable MFA somehow in my aws cli profile. However the user that’s linked to the access key/secret for the profile has MFA enabled and I had to type in the code every time I log in through the console.
l

little-cartoon-10569

07/21/2023, 3:15 AM
Okay, then the user's access key id and secret key cannot be used directly with Pulumi, because that user has MFA enabled. You need to use that user's access key with
aws sts get-session-token
, which gives you a new access key id, secret key and session token. Those are the values you use with Pulumi. And you need to change them every hour (or 24 hours or whatever you have configured as your session length).
I don't know why it worked for the older resources: perhaps your AWS policy has recently changed to require MFA?
c

clever-jackal-65347

07/21/2023, 3:22 AM
the user’s access key id and secret key cannot be used directly with Pulumi, because that user has MFA enabled I think this is not the issue? I’m still using the same access key/secret for the user and have been using it. Somehow I’ve been able to log in using this set of credentials alone without MFA even though I have MFA enabled for the IAM user. There’s no recent changes to my AWS policy (this is my personal account). From what I gathered when accessing IAM resources I need to use MFA. But in my case it’s not even asking for a MFA code. I’ll spend more time on it afterwards. Thanks again for your hep!
fixed by running this
Copy code
aws configure set mfa_serial arn-to-device
l

little-cartoon-10569

07/21/2023, 4:29 AM
Nice. Never saw that before.
c

clever-jackal-65347

07/21/2023, 4:31 AM
Yep I think it links my local cli to the mfa device somehow. surprised it’s hardly mentioned in enabling mfa doc 🤦 . doc talks about console log in with mfa..