--- title: "MFA to Access Wasabi Using AWS CLI" slug: "how-do-i-use-mfa-to-authenticate-access-to-wasabi-using-aws-cli" updated: 2026-05-28T15:47:36Z published: 2026-05-28T15:47:36Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt > Use this file to discover all available pages before exploring further. # MFA to Access Wasabi Using AWS CLI It is best practice to protect your account and its resources by using a [multi-factor authentication (MFA) device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html). If you plan to interact with your resources using the AWS CLI when using an MFA device, you must create a temporary session. The steps below outline how to achieve this for any user. ## Authenticating Access to Wasabi Using the AWS CLI In this example, we create a user called "mfa-demo" and grant them Programmatic and Console access. You can choose whether or not to provide Console access if that is not a requirement. Download the credentials file once the user is created and store it in a secure location, as we will use these credentials later to configure the AWS CLI. 1. Log in to the **Wasabi Management Console** [https://console.wasabisys.com/login](https://console.wasabisys.com/login) and create a **user**. ![Screen_Shot_2020-10-17_at_10.45.13_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-17_at_10.png) 2. Create an **IAM policy** that will force the user to authenticate with MFA for any action. 3. On the Wasabi menu, click **Policies**. Create a policy based on the user’s requirements. In this example, we are creating a policy called "policy-for-demo-user". ![Screen_Shot_2020-10-17_at_10.57.01_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-17_at_10(1).png) Actual Policy: ```powershell { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*" }, { "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "false" } } } ] } ``` **NOTE**: This policy only allows actions on all resources if they are authorized through an MFA authentication both programmatically and through the console. 4. Once the user and policy are created, navigate to that user and attach the newly created policy to them. ![Screen_Shot_2020-10-17_at_10.59.44_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-17_at_10(2).png) 5. If not already installed on your system, install the latest version of the [AWS CLI](https://docs.wasabi.com/docs/how-do-i-use-aws-cli-with-wasabi). 6. Use the credential file that you downloaded while creating a user in Step 1. Execute the command below to configure an MFA user's profile. Be sure to use your own Access Key ID and Secret Key ID. ```powershell $ aws configure --profile ``` ![Screen_Shot_2020-10-17_at_11.09.00_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-17_at_11.png) 7. In the Console, navigate to your MFA-created user and activate **virtual MFA** using any of these [tested applications](https://docs.wasabi.com/docs/which-virtual-mfa-applications-have-been-tested-with-wasabi). ![Screen_Shot_2020-10-17_at_11.19.52_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-17_at_11(1).png) 8. Once the MFA is activated for your user, copy the **ARN** of this user and store it in a secure location. ![Screen_Shot_2020-10-17_at_11.20.42_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-17_at_11(2).png) 9. On the CLI, run the [sts get-session-token](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) command. Replace the variables with information from your account, resources, and MFA device. ```powershell $ aws sts get-session-token --serial-number  --token-code  --profile  --endpoint-url=https://sts.wasabisys.com ``` You will receive an output with temporary credentials and an expiration time (default: 12 hours), similar to the following. ```powershell { "Credentials": { "SecretAccessKey": "secret-access-key", "SessionToken": "temporary-session-token", "Expiration": "expiration-date-time", "AccessKeyId": "access-key-id" } } ``` ![Screen_Shot_2020-10-17_at_11.30.32_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-17_at_11(3).png) ** You can specify an expiration duration (in seconds) using the **--duration-seconds** option in the **sts get-session-token** command, where the value can range from 900 seconds (15 minutes) to 129600 seconds (36 hours). If you are using root user credentials, the range is from 900 seconds (15 minutes) to 3600 seconds (1 hour). 10. Edit the **credentials** **file** in the .aws folder in the user’s home directory to [add a new profile configuration](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html) for issuing MFA-authenticated commands. Below is an example profile configuration. ** In this example, we are configuring a profile name as "mfa-demo-temporary". ```powershell [mfa-demo-temporary] aws_access_key_id = example-access-key-as-in-returned-output aws_secret_access_key = example-secret-access-key-as-in-returned-output aws_session_token = example-session-Token-as-in-returned-output ``` ![Screen_Shot_2020-10-17_at_11.49.20_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-17_at_11(4).png) 11. After the credentials expire, execute the **get-session-token** command again and export the returned values either to the environment variables or to the profile configuration. **NOTE**: Consider running a script or a cron job in the background that checks for “expiration” from the output of the get-session-token command, then prompting for a re-authentication. To show the working of this authentication, we have uploaded an object to a Wasabi bucket with regular credentials and temporary sts credentials. Even though this user has complete permission to perform any S3 action, it will get denied due to the forced MFA policy. The operation is only successful when the temporary sts credentials are used, which is governed by MFA. ![Screen_Shot_2020-10-18_at_12.00.21_AM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/screen_shot_2020-10-18_at_12.png) **NOTE:** This code example discusses the use of Wasabi's us-east-2 storage region. To use other Wasabi storage regions, use the appropriate Wasabi service URL as described in [Service URLs for Wasabi's Storage Regions](https://docs.wasabi.com/docs/what-are-the-service-urls-for-wasabis-different-storage-regions). ## Appendix ** If you do not wish to use named profiles as demonstrated above, you may also use temporary credentials with environment variables. To use temporary credentials, export their values to environment variables using the following commands. Linux: ```powershell export AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output export AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output export AWS_SESSION_TOKEN=example-session-token-as-in-previous-output ``` Windows: ```powershell set AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output set AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output set AWS_SESSION_TOKEN=example-session-Token-as-in-previous-output ``` If you set the environment variables, be sure to unset them before making the [get-session-token](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) call again using these commands. ```powershell unset AWS_ACCESS_KEY_ID unset AWS_SECRET_ACCESS_KEY unset AWS_SESSION_TOKEN ``` ** If you prefer this approach, then you will not need to specify "--profile" argument in your commands.