🎉 We are launching a new weekly show: Hot off the Cloud

🎉 We are launching a new weekly show

Avoid the 60 minutes timeout when using the AWS CLI with IAM roles

Michael Wittig – 27 Aug 2019

You can configure the AWS CLI to assume an IAM role for you in combination with MFA. If you are a power user of the CLI, you will realize that you have to enter your MFA token every 60 minutes, which is annoying.

Avoid the 60 minute timeout when using the AWS CLI with IAM roles

You will learn how to fix that in the following.

AWS account setup

Let’s assume we have three AWS accounts.

Account id Alias Description
000000000000 iam Only IAM users are created in this account
111111111111 dev Development workloads
222222222222 prod Production workloads

Besides that:

  1. In the iam account, an IAM user named michael is created. MFA is enabled, and an access key is generated.
  2. In the dev and prod accounts, the following IAM role is created (CloudFormation template):
AWSTemplateFormatVersion: '2010-09-09'
Type: 'AWS::IAM::Role'
Version: '2012-10-17'
- Effect: Allow
AWS: 'arn:aws:iam::000000000000:root' # replace this with your iam account id
Action: 'sts:AssumeRole'
'aws:MultiFactorAuthPresent': true
- 'arn:aws:iam::aws:policy/AdministratorAccess'
MaxSessionDuration: 43200 # 12 hours in seconds
RoleName: Admin

Ensure that you set the MaxSessionDuration property! The default is 60 minutes.

Configuring the AWS CLI

The AWS CLI stores the configuration in ~/.aws/credentials (or %UserProfile%\.aws\credentials if you are using Windows).

First of all, configure the access key from the michael IAM user using the aws_access_key_id and aws_secret_access_key configuration values. The value between the square brackets is called the profile name.

Looking for a new challenge?

  • tecRacer

    Cloud Consultant • AWS Migrations

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Portugal, and Switzerland
    Assessment Transformation Change Management

    Senior Lead Full Stack Developer

    DEMICON • AWS Advanced Consulting Partner • Remote
    AWS JavaScript/TypeScript Angular React

aws_access_key_id = AKIA****************
aws_secret_access_key = ****************************************

After that, configure the IAM roles you want to assume. The following configuration values are used:

Configuration value Description
role_arn ARN of the role you want to assume
source_profile Reference the profile of the IAM user
mfa_serial ARN of the virtual MFA device or the serial number for a hardware device
duration_seconds The expiry of the credentials returned by the assume role call

Ensure that you set the duration_seconds property! The default is 60 minutes.

Add the following profiles to the credentials file.

role_arn = arn:aws:iam::111111111111:role/Admin
source_profile = iam
mfa_serial = arn:aws:iam::000000000000:mfa/michael
duration_seconds = 43200

role_arn = arn:aws:iam::222222222222:role/Admin
source_profile = iam
mfa_serial = arn:aws:iam::000000000000:mfa/michael
duration_seconds = 43200

Using the profiles

The --profile parameter lets you specify the profile you want to use when working with the CLI.

aws --profile dev s3 ls
aws --profile prod s3 ls

The AWS CLI will ask you for your MFA token the first time you make a call.

You can also set the AWS_PROFILE environment variable to avoid typing --profile ... all the time.

export AWS_PROFILE=dev
aws s3 ls


To avoid frequent re-enter of the MFA token when using the AWS CLI, you have to adjust the MaxSessionDuration of the IAM role and the duration_seconds configuration value of the AWS CLI.

Become a cloudonaut supporter

Michael Wittig

Michael Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 360 articles, 49 podcast episodes, and 48 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Markus Ellers, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Shawn Tolidano, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.