The aws-mfa-credentials package

[Tags:apache, program]

As described in, some IAM policies may require API calls to be authenticated with MFA for additional security. This service tracks the lifetime of the temporary credentials used to authenticate with MFA, prompting the user for a new MFA code as the old credentials are about to expire and updating the AWS credentials file with the new credentials.

[Skip to Readme]


Change log
Dependencies amazonka (>=1.4.5 && <1.5), amazonka-core (>=1.4.5 && <1.5), amazonka-sts (>=1.4.5 && <1.5), base (==4.9.*), exceptions (>=0.8.3 && <0.9), filelock (>=0.1.0 && <0.2), filepath (>=1.4.1 && <1.5), freer-effects (>=0.3.0 && <0.4), ini (>=0.3.5 && <0.4), lens (>=4.15.1 && <4.16), optparse-applicative (>=0.13.1 && <0.14), optparse-text (>=0.1.1 && <0.2), process (>=1.4.3 && <1.5), text (>=1.2.2 && <1.3), time (>=1.6.0 && <1.7), unordered-containers (>=0.2.8 && <0.3) [details]
License Apache-2.0
Copyright Copyright 2017 Takt Inc.
Author Shea Levy
Category Config
Home page
Source repository head: git clone git://
Uploaded Fri May 19 11:27:03 UTC 2017 by shlevy
Distributions NixOS:
Downloads 47 total (8 in the last 30 days)
0 []
Status Docs not available [build log]
Last success reported on 2017-05-19 [all 3 reports]
Hackage Matrix CI


Maintainer's Corner

For package maintainers and hackage trustees

Readme for aws-mfa-credentials

Readme for aws-mfa-credentials-


Keep your AWS credentials file up to date with MFA-carrying temporary credentials


aws-mfa-credentials --mfa-serial-number SERIAL_NUMBER

See Locking protcol for important information about avoiding data loss!

From the API reference for GetSessionToken:

SerialNumber: The identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call. Specify this value if the IAM user has a policy that requires MFA authentication. The value is either the serial number for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials.

Optional flags:

  • --duration DURATION_SECONDS The lifetime of the credentials. Defaults to AWS default (43200 at the time of this writing).
  • --profile PROFILE The name of the profile whose credentials we're managing. Defaults to 'default'.
  • --refresh-lead-time LEAD_SECONDS The amount of time before credential expiry to refresh the credentials. Defaults to 300.

Environment variables:

  • PATH: A program named ssh-askpass, accepting a prompt as an argument and outputting a password to stdout, must be available on the path.
  • HOME: The home directory containing the .aws/credentials file


aws-mfa-credentials will request an MFA code from the user using ssh-askpass, request temporary credentials from Amazon, and update the credentials file with the temporary credentials.

The new credentials are placed into a profile named PROFILE-mfa, e.g. when the --profile flag is not given they are placed in default-mfa. Use the AWS_PROFILE environment variable or other profile-specifying mechanisms to use the credentials.

aws-mfa-credentials exits on any error, you may want to run it in a retry loop (with backoff).

Locking protocol

To allow safe usage of multiple instances of aws-mfa-credentials in parallel, a locking protocol is used for the credentials file: An exclusive fcntl lock is held on the file $HOME/.aws/.credentials.lock when writing (and thus data read before the lock is obtained must be rechecked within the lock).

Unfortunately, the AWS cli and other tools do not respect this protocol. Therefore, if you are modifying the credentials file in any way besides aws-mfa-credentials, you should either stop any existing instances of aws-mfa-credentials or obtain the lock yourself. Credential loss may occur if this is not followed!