Assign MFA devices in the AWS CLI or AWS API
You can use AWS CLI commands or AWS API operations to enable a virtual MFA device for an IAM user. You cannot enable an MFA device for the AWS account root user with the AWS CLI, AWS API, Tools for Windows PowerShell, or any other command line tool. However, you can use the AWS Management Console to enable an MFA device for the root user.
When you enable an MFA device from the AWS Management Console, the console performs multiple steps for you. If you instead create a virtual device using the AWS CLI, Tools for Windows PowerShell, or AWS API, then you must perform the steps manually and in the correct order. For example, to create a virtual MFA device, you must create the IAM object and extract the code as either a string or a QR code graphic. Then you must sync the device and associate it with an IAM user. See the Examples section of New-IAMVirtualMFADevice for more details. For a physical device, you skip the creation step and go directly to syncing the device and associating it with the user.
You can attach tags to your IAM resources, including virtual MFA devices, to identify, organize, and control access to them. You can tag virtual MFA devices only when you use the AWS CLI or AWS API.
An IAM user using the SDK or CLI can enable an additional MFA device by calling EnableMFADevice
or deactivate an existing MFA device by calling DeactivateMFADevice
. To do this successfully, they must first call
GetSessionToken
and submit MFA codes with an existing MFA device. This
call returns temporary security credentials that can then be used to sign API operations that
require MFA authentication. For an example request and response, see GetSessionToken
—temporary credentials for users in untrusted
environments.
To create the virtual device entity in IAM to represent a virtual MFA device
These commands provide an ARN for the device that is used in place of a serial number in many of the following commands.
-
AWS CLI:
aws iam create-virtual-mfa-device
-
AWS API:
CreateVirtualMFADevice
To enable an MFA device for use with AWS
These commands synchronize the device with AWS and associate it with a user. If the device is virtual, use the ARN of the virtual device as the serial number.
Important
Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resynchronize the device using the commands described below.
-
AWS CLI:
aws iam enable-mfa-device
-
AWS API:
EnableMFADevice
To deactivate a device
Use these commands to disassociate the device from the user and deactivate it. If the device is virtual, use the ARN of the virtual device as the serial number. You must also separately delete the virtual device entity.
-
AWS CLI:
aws iam deactivate-mfa-device
-
AWS API:
DeactivateMFADevice
To list virtual MFA device entities
Use these commands to list virtual MFA device entities.
-
AWS CLI:
aws iam list-virtual-mfa-devices
-
AWS API:
ListVirtualMFADevices
To tag a virtual MFA device
Use these commands to tag a virtual MFA device.
-
AWS CLI:
aws iam tag-mfa-device
-
AWS API:
TagMFADevice
To list tags for a virtual MFA device
Use these commands to list the tags attached to a virtual MFA device.
-
AWS CLI:
aws iam list-mfa-device-tags
-
AWS API:
ListMFADeviceTags
To untag a virtual MFA device
Use these commands to remove tags attached to a virtual MFA device.
-
AWS CLI:
aws iam untag-mfa-device
-
AWS API:
UntagMFADevice
To resynchronize an MFA device
Use these commands if the device is generating codes that are not accepted by AWS. If the device is virtual, use the ARN of the virtual device as the serial number.
-
AWS CLI:
aws iam resync-mfa-device
-
AWS API:
ResyncMFADevice
To delete a virtual MFA device entity in IAM
After the device is disassociated from the user, you can delete the device entity.
-
AWS CLI:
aws iam delete-virtual-mfa-device
-
AWS API:
DeleteVirtualMFADevice
To recover a virtual MFA device that is lost or not working
Sometimes, a user's device that hosts the virtual MFA app is lost, replaced, or not working. When this happens, the user can't recover it on their own. The user must contact an administrator to deactivate the device. For more information, see Recover an MFA protected identity in IAM.