Authenticate to AWS using STS temporary credentials with MFA. Load this skill BEFORE any task that requires AWS API access (deploy, S3 operations, Lambda invocations, CloudFormation, CDK, Terraform, or any aws cli / SDK call). Triggers on any AWS operation that needs valid credentials.
Ensure valid AWS credentials exist before performing any AWS operation.
Load this skill before any task that will call AWS APIs, including:
aws CLI commands (s3, lambda, cloudformation, etc.)The script is installed at $HOME/.local/bin/sts-auth. Since ~/.local/bin may not be
on $PATH in non-login shells, always use the full path:
STS_AUTH="$HOME/.local/bin/sts-auth"
[sts-longterm] profile in ~/.aws/credentials holds the permanent static IAM keys (never overwritten).[default] profile gets temporary STS session credentials (12h lifetime).--profile sts-longterm so it works even when [default] has expired session tokens.sts-auth auto-initializes by copying current [default] static keys to [sts-longterm].$STS_AUTH --check
If credentials are expired, you MUST ask the user for their 6-digit MFA code. Use this exact phrasing:
Your AWS session has expired. Please open your authenticator app and provide the 6-digit MFA code for your AWS account.
CRITICAL: Do NOT proceed without the code. Do NOT guess. Do NOT skip. Wait for the user to provide it.
Once the user provides the code (e.g., 123456):
$STS_AUTH 123456
After successful auth, confirm with:
$STS_AUTH --status
This shows the remaining session lifetime and the authenticated identity. Report this to the user briefly before proceeding with the original task.
| Error | Cause | Action |
|---|---|---|
ExpiredTokenException | MFA code too old (>30s) | Ask user for a fresh code |
AccessDenied | Wrong code or wrong MFA device | Ask user to double-check and retry |
No MFA device found | MFA not enabled on account | Tell user to enable MFA in AWS Console |
jq: command not found | jq not installed | Run sudo apt install jq |
No [sts-longterm] profile | First run | Script auto-inits; if that fails, tell user to run $STS_AUTH --init manually |
STS_AUTH_DURATION env var)--check command detects this automatically$STS_AUTH --check before any AWS operation.--check returns 0, do NOT re-authenticate. Use existing session.