duration_seconds in config causes MFA prompt every time

[michaelwittig]

awsume -v
4.1.3

If I specify duration_seconds in my config file I'm always asked to enter the MFA token for this profile. Id I do not specify duration_seconds I only have to enter the MFA token every now and then.

[mbarneyjr]

This is unfortunately expected behavior

Awsume uses the sts get-caller-identity api to get mfa-authenticated credentials (session token) for your user, and uses those credentials to call the sts assume-role api to get role credentials

According to AWS, they treat the user mfa-authenticated credentials (the session token) as role credentials. They also do not allow role-chaining for credentials that are valid for more than 1 hour

For that reason, we can't use the default awsume flow (caching source session token so you don't need MFA every single time you assume a role) when a duration_seconds is given