How do I use MFA to authenticate access to Wasabi using AWS CLI?


It is best practice to protect your account and its resources by using a multi-factor authentication (MFA) device. If you plan to interact with your resources using the AWS CLI when using an MFA device, then you must create a temporary session.



Following are the steps how you can achieve this for any users:


1. Login into Wasabi Management Console and create a user.

In this example, we are creating a user called "mfa-demo" and giving them programmatic as well as console access. You may decide not to give console access if that's not a requirement. Download the credentials file once user is created and store it at a secure location as we will be using these credentials later to configure AWS CLI.




2. Design an IAM policy that will force the user to authenticate via MFA for any action.

Go to Policies tab and create a policy as per your requirements for the user. In this example we are creating a policy called "policy-for-demo-user"




Actual Policy: 

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"


NOTE: This policy basically allows s3 actions on all resources ONLY if they are authorized through an MFA authentication both via programmatically and on console.


3. Once the user and policy is created, navigate to that user and attach the newly created policy to them.





4. Now go ahead and install the latest version of AWS CLI if you have not already installed on your system.


5. Now use your credential file which you had downloaded at creation of user in step 2. Execute the below command to configure mfa user's profile and make sure to use your own Access Key ID and Secret Key ID


aws configure --profile <name-for-this-user>




6. Now back to the console, go to your mfa created user and activate virtual MFA using any of these tested applications




7. Once the MFA is activated for your user, copy the ARN of this user and store it at a secure location. See screenshot below




8. On the CLI, Run the sts get-session-token command, replacing the variables with information from your account, resources, and MFA device:


$ aws sts get-session-token --serial-number <arn-of-the-mfa-user> --token-code <code-from-mfa-token-app> --profile <name-for-this-user> --endpoint-url=


You will receive an output with temporary credentials and an expiration time (by default, 12 hours) similar to the following


"Credentials": {
"SecretAccessKey": "secret-access-key",
"SessionToken": "temporary-session-token",
"Expiration": "expiration-date-time",
"AccessKeyId": "access-key-id"




Note: You can specify an expiration duration (in seconds) using the --duration-seconds option in the sts get-session-token command, where the value can range from 900 seconds (15 minutes) to 129600 seconds (36 hours). If you are using root user credentials, the range is from 900 seconds (15 minutes) to 3600 seconds (1 hour).


9. Now edit the credentials file in the .aws folder in the home directory of the user to add a new profile configuration for issuing MFA-authenticated commands. Here's an example profile configuration:


Note: In this example, we are configuring a profile name as "mfa-demo-temporary"

aws_access_key_id = example-access-key-as-in-returned-output
aws_secret_access_key = example-secret-access-key-as-in-returned-output
aws_session_token = example-session-Token-as-in-returned-output



After the credentials expire, execute the get-session-token command again, and then export the returned values to the environment variables or to the profile configuration.

Tip: Consider running a script or a cron job in the background that checks for "expiration" from the output of get-session-token command, and then prompts for re-authentication.


10. In order to show the working of this authentication, we have demonstrated by uploading an object to Wasabi bucket with regular credentials as well temporary sts credentials. Even though this user has complete permissions to perform any s3 action, it will get denied due to force MFA policy and the operation is ONLY successful when temporary sts credentials are used which is governed by MFA (see screenshot below)




Note that this code example discusses the use of Wasabi's us-east-2 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described here



If you do not wish to use named profiles as demonstrated above, you may also use temporary credentials with environment variables

You can use temporary credentials by exporting their values to environment variables using these commands.


export AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output
export AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output
export AWS_SESSION_TOKEN=example-session-token-as-in-previous-output



set AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output
set AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output
set AWS_SESSION_TOKEN=example-session-Token-as-in-previous-output


If you set the environment variables, be sure to unset them before making the get-session-token call again using these commands.



NOTE: If you prefer this approach, then you will not need to specify "--profile" argument in your commands.









Have more questions? Submit a request