MFA token not persisting when role-duration is set

[jakepearson]

I started to use awsume and it seems great. I wanted to extend the duration of my token on an account I use with mfa configured. After I ran this command:

awsume --config set role-duration 43200

I get prompted for my mfa token each time I run awsume. When I remove the role-duration line from my config, it goes back to working as expected.

Do these 2 features not work together or did I misconfigure my config or is this a bug?

[mbarneyjr]

This is unfortunately due to a limitation with AWS. AWS does not let you chain role assumptions for durations greater than 1 hour. Even though your sts get-session-token credentials were coming from an IAM user and not a role, according to AWS, the temporary user session credentials are still treated as role credentials and rejects when you try to use a role duration greater than 1 hour. This means we can't take advantage of the cached mfa-authenticated credentials. So to support --role-duration with profiles that require MFA, we pass the MFA token to the role's assume-role call, instead of the user's get-session-token call

I hope this helps make it clearer!

[jakepearson]

Thanks for the extra information. Have a great day.