AWS CLI not honoring MultiFactorAuthAge

Question

I'm trying to setup my AWS CLI to assume a role using MFA and expiring the creds after 15 minutes (minimum duration_seconds allowed, apparently).

My IAM role policy is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/myuser"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        },
        "NumericLessThan": {
          "aws:MultiFactorAuthAge": "900"
        }
      }
    }
  ]
}

My CLI config is setup as follows:

[profile xxx]
role_arn = arn:aws:iam::XXXXXXXXXXXX:role/mfa
mfa_serial = arn:aws:iam::XXXXXXXXXXXX:mfa/foobar
source_profile = mfa

When I run a command using the xxx profile above, MFA is asked the first time and remains valid for all the subsequent requests. However, after 15 minutes, the token is still valid and MFA isn't asked again.

$ aws s3 ls --profile xxx

I tried setting the duration_seconds parameter on my CLI as below:

[profile xxx]
role_arn = arn:aws:iam::XXXXXXXXXXXX:role/mfa
mfa_serial = arn:aws:iam::XXXXXXXXXXXX:mfa/foobar
source_profile = mfa
duration_seconds = 900

But now, I'm asked the MFA token for every command issued, even if the time difference is in the order of seconds.

Am I missing something here?

AWS CLI version: aws-cli/2.0.49 Python/3.7.4 Darwin/19.6.0 exe/x86_64

Appreciate any help.

Thanks in advance!

Answer 1

So, I discovered the reason for this behavior:

As described in this Github Issue, AWS CLI treats any session within 15min as expired, refreshing the creds automatically (or asking for a new one-time passcode, in case of MFA).

So, setting the session duration for 15min (900s) is basically the same as getting a one-time credential.

I just tested setting the session_duration to 930 (15min + 30s), and the session is indeed valid for 30 seconds.