Not a shortcoming of aws-mfa (which is really useful, thank you), but I've seen many people in my group fall foul of having AWS_ tokens already present in their env, using aws-mfa, and wondering why the CLI doesn't work.
This spits out a warning (on auth, or on the 'still-valid' message) to those users who have overriding env vars set in their shell.
INFO - Validating credentials for profile: derp
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456789:mfa/herp.derp] (renewing for 43200 seconds):605957
INFO - Fetching Credentials - Profile: derp, Duration: 43200
INFO - Success! Your credentials will expire in 43200 seconds at: 2019-07-02 03:06:05+00:00
WARNING - Your env already has AWS access keys set ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY'], which will take precedence in the AWS CLI/SDK over the credentials created by this utility. Consider `unset`-ting them if you have issues.
Not a shortcoming of
aws-mfa(which is really useful, thank you), but I've seen many people in my group fall foul of havingAWS_tokens already present in their env, usingaws-mfa, and wondering why the CLI doesn't work.This spits out a warning (on auth, or on the 'still-valid' message) to those users who have overriding env vars set in their shell.