I'm trying to get a session token in order to set environment variables in order to use a tool which uploads to S3 but doesn't directly support AWS profiles.
aws sts get-session-token --profile myprofile
Enter MFA code for arn:aws:iam::1234567890:mfa/myid:
An error occurred (AccessDenied) when calling the GetSessionToken operation:
Cannot call GetSessionToken with session credentials
Subsequent calls skip the MFA check, indicating that it passed ok.
Running get-session-token without the --profile parameter works fine:
$ aws sts get-session-token
{
"Credentials": {
...
What could be going wrong? Am I even going about this the right way?
The relevant part of my ~/.aws/config:
[profile otherprofile]
mfa_serial=arn:aws:iam::xxx:mfa/myid
aws_access_key_id=xxx
aws_secret_access_key=xxx
[profile myprofile]
source_profile=otherprofile
region=ap-southeast-2
role_arn=arn:aws:iam::xxx:role/owner
mfa_serial=arn:aws:iam::xxx:mfa/myid
Your initial call is using an IAM role. It is attempting to call get-session-token, which will return some temporary credentials.
However, when an IAM Role is used, the AWS CLI automatically uses your normal credentials to call assume-role, thereby receiving back a set of temporary credentials. It is not possible to call get-session-token with temporary credentials (from the role). This is why the error message says Cannot call GetSessionToken with session credentials.
If you wish to call get-session-token, you will need to do it with your normal credentials, as you have done in your second example.