Oh, Fudge
Your dog just broken your iPhone1 and the master token for your AWS root account is locked up in the safe at work. Your boss needs an emergency update to your prod infrastructure. How do you login to your MFA protected AWS account?
AWS CLI To the Rescue
No worries, you’ve got this covered in 15 seconds.
Lookup the ARN of your MFA device in IAM, via the username you use for AWS Console Login.
aws iam list-mfa-devices --user-name john_smith
Outputs:
{
"MFADevices": [
{
"UserName": "john_smith",
"SerialNumber": "arn:aws:iam::1234567890123:mfa/john_smith",
"EnableDate": "2016-01-01T17:00:00Z"
}
]
}
aws iam deactivate-mfa-device --user-name john_smith --serial-number arn:aws:iam::1234567890123:mfa/john_smith
The safe is cracked. Login. Pretend like this never happened.
You Don’t Have AWS CLI Admin Access
We got a problem here. Your choices are:
- Use your root token / ask your sys admin to remove the MFA from your account
- Contact AWS MFA Device Support
- Consider ordering a physical token, inserting in mason jar, and burying in backyard [return]