Setting up MFA Using the AWS CLI

Colin J. Ihrig

I occasionally need to setup multi-factor authentication (MFA) for AWS IAM users that have no access to the AWS web console. This happens often enough that I need to lookup the commands each time, but not often enough that I have ever written it down. That changes now.

These commands assume you want to scan a QR code with an authenticator application. First, create a virtual MFA device:

$ aws iam create-virtual-mfa-device --virtual-mfa-device-name your_device_name --outfile qr_code.png --bootstrap-method QRCodePNG

The result will look similar to this. Note the serial number:

    "VirtualMFADevice": {
        "SerialNumber": "arn:aws:iam::012345678901:mfa/your_device_name"

Open the qr_code.png image, which contains a QR code. Scan it with your authenticator app. Once that is configured, enable the MFA device for your user:

$ aws iam enable-mfa-device --user-name your_user_name --serial-number serial_number_from_previous_command --authentication-code1 mfa_code_1 --authentication-code2 mfa_code_2

If successful, there is no output from the previous command. You can verify that the device has been enabled for your account via the following command:

$ aws iam list-mfa-devices

You should see output similar to this:

    "MFADevices": [
            "UserName": "your_user_name",
            "SerialNumber": "arn:aws:iam::012345678901:mfa/your_device_name",
            "EnableDate": "2024-04-15T23:50:05+00:00"