MFA is requested by sops all the time

[chas0amx]

I have next in ~/.aws/credentials

[extra]
source_profile = default
region = us-east-1
mfa_serial = arn:aws:iam::xxx
role_arn = arn:aws:iam::xxx
assumed_role = True
assumed_role_arn = arn:aws:iam::xxx
aws_access_key_id = xxx
aws_secret_access_key = xxx
aws_session_token = xxx
aws_security_token = xxx
expiration = 2022-02-02 20:46:38

[default]
region = us-east-1
aws_access_key_id = xxx
aws_secret_access_key = xxx

Next, I do: export AWS_PROFILE=extra aws s3 ls it asks MFA code only one time, but when I do sops -d secrets.prod.yaml it asks Assume Role MFA token code: all the time

Why? It is so inconvenient. The same with helm plugin (https://github.com/jkroepke/helm-secrets)

[chas0amx]

:bulb: Any updates on that :interrobang:

[hwine]

Depending on your configuration, SOPS may need to do a role assumption on each encrypt/decrypt. Even if you have your session cached, the role assumption is a "new login", hence the MFA.

[chas0amx]

Сan be partly solved with totp (https://github.com/arcanericky/totp) in this way: export AWS_PROFILE=extra; totp aws | sops -d secrets.prod.yaml