AWS CLI Command Reference

[ aws . configure ]

mfa-login

Description

This command gets temporary AWS security credentials for use with the AWS CLI and SDK, and places them in an AWS profile. It will use a long-lived IAM user access key, and the MFA code from either a virtual TOTP MFA device, or a hardware OTP authenticator to call STS get-session-token to get the temporary credentials. If no default profile exists, the command will prompt you to provide your AWS credentials first.

Note: This command currently supports only hardware or software based one-time password (OTP) authenticators. Passkeys and U2F devices are not currently supported.

Synopsis

aws configure mfa-login [--profile profile-name] [--update-profile profile-to-update] [--duration-seconds seconds] [--serial-number mfa-serial-number]

Options

--update-profile (string) The profile to update with temporary credentials. If not provided, a default name will be generated.

--duration-seconds (integer) The duration, in seconds, that the credentials should remain valid. Minimum is 900 seconds (15 minutes), maximum is 129600 seconds (36 hours).

--serial-number (string) The ARN or serial number of the MFA device associated with the IAM user. If not provided, will use the mfa_serial from the profile configuration.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Examples

Note

To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.

Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .

To create a new profile with temporary MFA credentials

The following mfa-login command creates a new profile with temporary credentials obtained using MFA authentication.

aws configure mfa-login

Output:

MFA serial number or ARN: arn:aws:iam::123456789012:mfa/MFADeviceName
MFA token code: 123456
Profile to update [session-MFADeviceName]:
Temporary credentials written to profile 'session-MFADeviceName'
Credentials will expire at 2023-05-19 18:06:10 UTC
To use these credentials, specify --profile session-MFADeviceName when running AWS CLI commands

To create credentials when no default profile exists

If you don’t have a default profile configured, the mfa-login command will prompt you for your AWS credentials first.

aws configure mfa-login

Output:

No default profile found. Please provide your AWS credentials:
AWS Access Key ID: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
MFA serial number or ARN: arn:aws:iam::123456789012:mfa/MFADeviceName
MFA token code: 123456
Profile to update [session-MFADeviceName]:
Temporary credentials written to profile 'session-MFADeviceName'
Credentials will expire at 2023-05-19 18:06:10 UTC
To use these credentials, specify --profile session-MFADeviceName when running AWS CLI commands

To update an existing profile with temporary MFA credentials

The following mfa-login command updates an existing profile with temporary credentials obtained using MFA authentication.

aws configure mfa-login --profile myprofile --update-profile mfaprofile

Output:

MFA token code: 123456
Temporary credentials written to profile 'mfaprofile'
Credentials will expire at 2023-05-19 18:06:10 UTC
To use these credentials, specify --profile mfaprofile when running AWS CLI commands

Note: This command currently supports only hardware or software based one-time password (OTP) authenticators. Passkeys and U2F devices are not currently supported with this command.

For more information, see Using Multi-Factor Authentication (MFA) in AWS in the AWS IAM User Guide.

Examples

To create a new profile with temporary MFA credentials

The following mfa-login command creates a new profile with temporary credentials obtained using MFA authentication.

aws configure mfa-login

Output:

MFA serial number or ARN: arn:aws:iam::123456789012:mfa/user
MFA token code: 123456
Profile to update [session-12345]:
Temporary credentials written to profile 'session-12345'
Credentials will expire at 2023-05-19 18:06:10 UTC
To use these credentials, specify --profile session-12345 when running AWS CLI commands

To update an existing profile with temporary MFA credentials

The following mfa-login command updates an existing profile with temporary credentials obtained using MFA authentication.

aws configure mfa-login --profile myprofile --update-profile mytemp

Output:

MFA token code: 123456
Temporary credentials written to profile 'mytemp'
Credentials will expire at 2023-05-19 18:06:10 UTC
To use these credentials, specify --profile mytemp when running AWS CLI commands

To create credentials when no default profile exists

If you don’t have a default profile configured, the mfa-login command will prompt you for your AWS credentials first.

aws configure mfa-login

Output:

No default profile found. Please provide your AWS credentials:
AWS Access Key ID: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
MFA serial number or ARN: arn:aws:iam::123456789012:mfa/user
MFA token code: 123456
Profile to update [session-12345]:
Temporary credentials written to profile 'session-12345'
Credentials will expire at 2023-05-19 18:06:10 UTC
To use these credentials, specify --profile session-12345 when running AWS CLI commands

Note: This command currently supports only hardware or software based one-time password (OTP) authenticators. Passkeys and U2F devices are not currently supported.

© Copyright 2025, Amazon Web Services. Created using Sphinx.