By enabling MFA on an AMI the aws-cli is locked out as it requires a session token.
Acquiring a session token is described here and here which looks really straight forward.
So taking the next step I made a script out of those.
...
aws iam list-mfa-devices --user-name "$_username" > "$aUserfile" || exit 1
_arn=$(cat "$aUserfile" | jq '.MFADevices[0] | .SerialNumber' -r )
# instead of $1 which has the exact same issue as describing in the post
echo "Insert the mfa token"
read _mfa
aws sts get-session-token --serial-number "$_arn" --token-code "$_mfa" --duration-seconds 28800 > "$anOtherUserfile" || exit 1
...
Now, This script did run ... sometimes.. But most of the times even on a different machine OR different AMI it will return an invalid code which then leads to
An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials
I did wait over a day just incase this is a "ban" (which makes no sense as I did not have a response code or something) as I did call it a couple of times as the script was progressing.
Also even running it by hand now can produce an invalid token.
Any suggestions?
