Closed michaelwittig closed 4 years ago
This is unfortunately expected behavior
Awsume uses the sts get-caller-identity
api to get mfa-authenticated credentials (session token) for your user, and uses those credentials to call the sts assume-role
api to get role credentials
According to AWS, they treat the user mfa-authenticated credentials (the session token) as role credentials. They also do not allow role-chaining for credentials that are valid for more than 1 hour
For that reason, we can't use the default awsume flow (caching source session token so you don't need MFA every single time you assume a role) when a duration_seconds
is given
If I specify
duration_seconds
in my config file I'm always asked to enter the MFA token for this profile. Id I do not specifyduration_seconds
I only have to enter the MFA token every now and then.