Why AWS CLI-Style Profiles Matter for MFA

I typed the wrong command and locked myself out.

Not from my laptop. From AWS.
The culprit: a missing AWS CLI profile with working MFA.

If you use AWS CLI and jump between accounts, you already know the pain. Switching profiles is fast until security policies add Multi-Factor Authentication (MFA) to every role assumption. Then the dance begins: refresh tokens, dig up serial numbers, type OTP codes again and again.

The fix is not magic. It’s configuring AWS CLI-style profiles so MFA is baked into them. Once done, you stop juggling credentials. You switch profiles, enter MFA when needed, and keep working.

Why AWS CLI-Style Profiles Matter for MFA

An AWS CLI profile is a named set of AWS credentials and settings stored in the ~/.aws/config and ~/.aws/credentials files. By defining profiles with source_profile, mfa_serial, and role_arn, you can chain role assumptions without breaking your security posture. MFA becomes part of the profile, not a bolt-on process.

When you run aws sts get-caller-identity --profile mysecureprofile, the CLI prompts for your MFA code only when required. No manual credential refresh. No extra shell scripts.

Setting Up AWS CLI Profiles with MFA

Edit ~/.aws/config and create a base profile with long-lived IAM user credentials:

[profile base-user]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
region = us-east-1

Add a role profile that references this base and includes MFA settings:

[profile admin-role]
source_profile = base-user
role_arn = arn:aws:iam::123456789012:role/Admin
mfa_serial = arn:aws:iam::123456789012:mfa/you@example.com
region = us-east-1

When assuming the role, the CLI will prompt for your MFA code:

aws s3 ls --profile admin-role

The resulting session credentials are cached by the AWS CLI. By default, the duration is one hour, but you can adjust if your IAM policy allows it.

Advanced Tips for MFA and AWS CLI Profiles

• Use aws sso or aws sts with MFA for centralized auth across multiple AWS accounts.
• Combine profiles with the AWS_PROFILE environment variable for quick switching in scripts.
• Use credential_process in config to automate token retrieval from secure stores or identity providers.

The Secure Workflow You Control

With MFA embedded in AWS CLI-style profiles, switching accounts is seamless and secure. You don’t store temporary keys in plain text. You let the CLI request and manage them, tied to your MFA device. It’s faster to set up once than to keep fighting with expired tokens for the rest of the week.

Great security doesn’t have to be annoying. You can try this streamlined MFA profile setup in minutes with tools that make AWS authentication easier. See it live with hoop.dev and start using secure AWS workflows without the usual friction.