Problem with AWS MFA setup

Tags: ACG

We have recently had a number of students report problems with setting up the AWS MFA on Google Authenticator.

The problem

Some students have reported that when they first try to set up the MFA as part of the course that when they enter the verification code generated by google authenticator and click on submit, they receive an error message.

"You need permissions You do not have the permission required to perform this operation. Ask your administrator to add permissions. Learn more Authentication code for device is not valid."

Possible causes and solutions

It is unclear exactly what the problem is, however it does seem to be a bug between AWS and a number of the Virtual MFA services (Google & Microsoft). It is not student error!

  1. Many of these systems are asynchronous, and so timing can be a possible cause. Some students have found that by either leaving it for 15 minutes, or logging out of AWS and back in that the problem goes away. Not very scientific, but if it is a timing issue this could be a work around. The recommendation if you cannot get the MFA to setup for the Root account is as follows:
    1. Proceed with the lab (without doing the MFA for the Root account) and set up your IAM 'administrator' Users (also without and MFA).
    2. Log out of the AWS console and have a cup of tea or coffee (15 minutes).
    3. Log back in using the root account and setup the MFA for the Root account.
    4. Log out and log in again using the IAM 'Admin' User and setup the MFA for that account.
  2. Another student felt that the problem was with the QR code and used the provided secret Key instead (external site, opens in new tab), and was able to get the setup to work.
  3. A common cause of problems (but probably not this one) is failing to provide two consecutive codes.  They must be consecutive codes and so timing is critical.

While none of these have proven to be 100% the cause and treatment it does seem to have allowed students to move forward.

See also our article on Planning for MFA problems.

back to top

If you need help, please contact Pluralsight Support.