Login With Broken AWS MFA Device

Oh, Fudge

Your dog just broken your iPhone1 and the master token for your AWS root account is locked up in the safe at work. Your boss needs an emergency update to your prod infrastructure. How do you login to your MFA protected AWS account?

AWS CLI To the Rescue

No worries, you’ve got this covered in 15 seconds.

Lookup the ARN of your MFA device in IAM, via the username you use for AWS Console Login.

aws iam list-mfa-devices --user-name john_smith

Outputs:

{
    "MFADevices": [
        {
            "UserName": "john_smith",
            "SerialNumber": "arn:aws:iam::1234567890123:mfa/john_smith",
            "EnableDate": "2016-01-01T17:00:00Z"
        }
    ]
}
aws iam deactivate-mfa-device --user-name john_smith --serial-number arn:aws:iam::1234567890123:mfa/john_smith

The safe is cracked. Login. Pretend like this never happened.

You Don’t Have AWS CLI Admin Access

We got a problem here. Your choices are:


  1. Consider ordering a physical token, inserting in mason jar, and burying in backyard [return]