Access denied when using aws cli but allowed in web console

I had this same issue and I fixed it by adding my user to a new group with administrator access in IAM.

to do this go to IAM, Users, click on your user and then [add permissions] in the next screen click [Create group] and then pick administrator access

It turns out following statement in one of my policies blocked CLI access due to lacking MFA.

{
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      },
      "Resource": "*",
      "Effect": "Deny",
      "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice",
        "sts:GetSessionToken"
      ],
      "Sid": "DenyAllExceptListedIfNoMFA"
},

If you replace BoolIfExists with Bool, it should work. Your CLI requests would not be denied because of not using MFA.

Opposite of https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/