hi there, hopefully a quick one for some of you out there. I’m trying to import an existing Role into my stack but getting this error. It looks like it’s due to the aws profile not using MFA but I can’t seem to figure out how to enable MFA on cli. Other resources can be imported successfully. Can someone pls point me to the right direction? Thanks 🙏

* reading IAM Role (hxxxxxx): InvalidClientTokenId: The security token included in the request is invalid

You don't enable MFA on CLI: you use MFA to get a new access key ID, secret key and session token. Then you use those in the CLI. Pulumi isn't involved in that part.

Thanks @little-cartoon-10569 for the reply. I understand that this is not related to Pulumi. The issue with my aws cli is I didn’t need to supply MFA to get a session token and I was able to use this token to run Pulumi and import other resources. However I could not do the same when importing a role (getting the error above). I googled it and it looks like the issue is I didn’t enable MFA somehow in my aws cli profile. However the user that’s linked to the access key/secret for the profile has MFA enabled and I had to type in the code every time I log in through the console.

Okay, then the user's access key id and secret key cannot be used directly with Pulumi, because that user has MFA enabled. You need to use that user's access key with

aws sts get-session-token

, which gives you a new access key id, secret key and session token. Those are the values you use with Pulumi. And you need to change them every hour (or 24 hours or whatever you have configured as your session length).

the user’s access key id and secret key cannot be used directly with Pulumi, because that user has MFA enabled I think this is not the issue? I’m still using the same access key/secret for the user and have been using it. Somehow I’ve been able to log in using this set of credentials alone without MFA even though I have MFA enabled for the IAM user. There’s no recent changes to my AWS policy (this is my personal account). From what I gathered when accessing IAM resources I need to use MFA. But in my case it’s not even asking for a MFA code. I’ll spend more time on it afterwards. Thanks again for your hep!

Nice. Never saw that before.

Yep I think it links my local cli to the mfa device somehow. surprised it’s hardly mentioned in enabling mfa doc 🤦 . doc talks about console log in with mfa..