Fix MFA device filtering

README.md

@@ -77,4 +77,4 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file
 
 ## Acknowledgments
 
-This script automates the process described in the AWS Knowledge Center article [How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?](https://repost.aws/knowledge-center/authenticate-mfa-cli). It aims to simplify the steps outlined in the official documentation for a more streamlined user experience.
+This script automates the process described in the AWS Knowledge Center article [How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?](https://repost.aws/knowledge-center/authenticate-mfa-cli). It aims to simplify the steps outlined in the official documentation for a more streamlined user experience.

aws-mfa-auth.ps1

@@ -26,8 +26,10 @@ $aws_profile = Read-Input -prompt "Enter your AWS profile name (Default: default
 Write-Host "Fetching MFA devices..."
 $mfa_devices = aws iam list-mfa-devices --profile $aws_profile --output json | ConvertFrom-Json
 
-# Filter out U2F devices
-$mfa_devices = $mfa_devices.MFADevices | Where-Object { $_.SerialNumber -match "^arn:aws:iam::\d+:mfa/" }
+# Filter out U2F devices by ensuring the ARN only contains a single segment after
+# "mfa/". U2F devices include additional path segments that prevent CLI MFA
+# authentication.
+$mfa_devices = $mfa_devices.MFADevices | Where-Object { $_.SerialNumber -match "^arn:aws:iam::\d+:mfa/[A-Za-z0-9+=,.@_-]+$" }
 $mfa_count = $mfa_devices.Count
 
 if ($mfa_count -eq 0) {
@@ -78,4 +80,4 @@ Write-Host "To use these credentials:"
 Write-Host "* For specific commands: aws s3 ls --profile $new_profile"
 Write-Host "* For this session: `$env:AWS_PROFILE = '$new_profile'"
 Write-Host ""
-Write-Host "Remember to renew your credentials before they expire."
+Write-Host "Remember to renew your credentials before they expire."

aws-mfa-auth.sh

@@ -22,8 +22,10 @@ prompt_input "Enter your AWS profile name (Default: default): " aws_profile "def
 echo "Fetching MFA devices..."
 mfa_devices=$(aws iam list-mfa-devices --profile "$aws_profile" --output json)
 
-# Filter out U2F devices
-mfa_devices=$(echo "$mfa_devices" | jq '.MFADevices | map(select(.SerialNumber | test("^arn:aws:iam::[0-9]+:mfa/")))')
+# Filter out U2F devices by ensuring the ARN only contains a single path segment
+# after "mfa/" (e.g. arn:aws:iam::123456789012:mfa/username). U2F devices include
+# additional segments which cause AWS CLI authentication to fail.
+mfa_devices=$(echo "$mfa_devices" | jq '.MFADevices | map(select(.SerialNumber | test("^arn:aws:iam::[0-9]+:mfa/[A-Za-z0-9+=,.@_-]+$")))')
 mfa_count=$(echo "$mfa_devices" | jq 'length')
 
 if [ "$mfa_count" -eq 0 ]; then
@@ -70,4 +72,4 @@ echo "To use these credentials:"
 echo "1. For specific commands: aws s3 ls --profile $new_profile"
 echo "2. For this session: export AWS_PROFILE=$new_profile"
 echo
-echo "Remember to renew your credentials before they expire."
+echo "Remember to renew your credentials before they expire."