We have recently had a number of students report problems with setting up the AWS MFA on Google Authenticator.
Some students have reported that when they 1st try to set up the MFA as part of the course that when they enter the verification code generated by google authenticator and click on submit, they recieve and error message.
" You need permissions You do not have the permission required to perform this operation. Ask your administrator to add permissions. Learn more Authentication code for device is not valid."
I have never been able to recreate the problem myself, so I suspect that it is intermittent as opposed to being systemic.
Possible causes & solutions
It is unclear exactly what the problem is, however it does seem to be a bug between AWS and a number of the Virtual MFA services (Google & Microsoft). It is not student error !
1- Many of these systems are asynchronous, and so timing can be a possible cause. Some students have found that by either leaving it for 15 minutes, or logging out of AWS and back in that the problem goes away. Not very scientific, but if it is a timing issue this could be a work around.
My recommendation if you cannot get the MFA to setup for the Root account is as follows:
A- Proceed with the lab (without doing the MFA for the Root account) and set up your IAM 'administrator' Users (also without and MFA).
B- Log out of the AWS console and have a cup of tea or coffee (15 minutes).
C- Log back in using the root account and setup the MFA for the Root account.
D- Log out and log in again using the IAM 'Admin' User and setup the MFA for that account.
2- Another student felt that the problem was with the QR code and used the provided secret Key instead, and was able to get the setup to work.
3- A common cause of problems (but probably not this one) is failing to provide two consecutive codes. They must be consecutive codes and so timing is critical.
While none of these have proven to be 100% the cause and treatment it does seem to have allowed students to move forward.