IAM roles are a great way to increase security in AWS. A user can switch to a specific role and get a new set of permissions. The Switching to an IAM role article explains how to do this for the AWS CLI, but unfortunately leaves out how to switch to a role that requires MFA.
The trick is to add a mfa_serial
parameter to the profile in the ~/.aws/config
file, e.g.:
[profile myprofile]
role_arn = arn:aws:iam::{ACCOUNT_ID}:role/{ROLE}
source_profile = default
mfa_serial = {MY_MFA_DEVICE}
You can get your {MY_MFA_DEVICE}
configuration from https://console.aws.amazon.com/iam/home#/security_credentials.