search

broamski / aws-mfa

Manage AWS MFA Security Credentials
MIT License
1.03k stars 168 forks source link

ERROR - Token must be six digits #36

Open spanktar opened 6 years ago

spanktar commented 6 years ago

I am receiving the error message: ERROR - Token must be six digits

when using the command:

aws-mfa --duration 60 --profile default
INFO - Validating credentials for profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::1234567890:mfa/tom] (renewing for 60 seconds):123456
INFO - Fetching Credentials - Profile: default, Duration: 60
ERROR - Token must be six digits

Since clearly my MFA token is 6 digits, and since this had worked for me before, I got suspicious and started to change the duration value:

aws-mfa --duration 100 --profile default
ERROR - Token must be six digits
aws-mfa --duration 1000 --profile default
INFO - Success! Your credentials will expire in 1000 seconds at: 2018-10-15 17:13:02+00:00

So it appears the duration value being less than 4 digits is causing this error. I'll try to look at the code and submit a PR with a fix.

albertofem commented 5 years ago

Actually, the issue is that DurationSeconds in STS must be greater or equal than 900:

The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.

Source: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html

Rerunning this command with 900 should work. aws-mfa should surface this error properly.

npearson72 commented 5 years ago

I'm getting the same error with a greater duration:

INFO - Validating credentials for profile: default
WARNING - Your existing credentials are missing or invalid, obtaining new credentials.
Enter AWS MFA code for device [<my mfa device>] (renewing for 4600 seconds):
INFO - Fetching Credentials - Profile: default, Duration: 4600
ERROR - Token must be six digits

My ~/.aws/credentials looks like:

[default-long-term]
aws_access_key_id = <my aws access key id>
aws_secret_access_key = <my aws secret access key>

[default]
aws_access_key_id = <my aws access key id>
aws_secret_access_key = <my aws secret access key>
arealmaas commented 3 years ago

@npearson72 Did you find a solution for this?