diff --git a/contrib/scripts/aws-iam-create-yubikey-mfa.sh b/contrib/scripts/aws-iam-create-yubikey-mfa.sh
index 1b5770f6d..58d70c81c 100755
--- a/contrib/scripts/aws-iam-create-yubikey-mfa.sh
+++ b/contrib/scripts/aws-iam-create-yubikey-mfa.sh
@@ -17,7 +17,9 @@ cleanup()
 trap cleanup EXIT
 
 ACCOUNT_ARN=$(aws sts get-caller-identity --query Arn --output text)
-USERNAME=$(echo "$ACCOUNT_ARN" | cut -d/ -f2)
+# Assume that the final portion of the ARN is the username
+# Works for ARNs like `users/<user>` and `users/engineers/<user>`
+USERNAME=$(echo "$ACCOUNT_ARN" | rev | cut -d/ -f1 | rev)
 
 OUTFILE=$(mktemp)
 SERIAL_NUMBER=$(aws iam create-virtual-mfa-device \