Skip to content

AWS plugin fails with MFA #559

New issue
New issue
Open
Open
AWS plugin fails with MFA#559
@happosade

Description

@happosade
happosade
opened on Oct 27, 2025

Platform or tool

AWS

Environment

OS:

Mac M3, Sequoia 15.7.1

What did you expect to happen?

I expect to be able to use profiles after a while correctly without having to resync MFA or having to run some command to default account.

Notes & Logs

Setup have been made with op plugin init aws

Current behavior

Running aws cli with op with profile randomly fails:

user@hostname ~ % aws sts get-caller-identity --profile my-1password-profile

[ERROR] [TIMESTAMP] could not run plugin AWS CLI: failed to provision credentials, encountered error(s):

operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: [REQUEST_ID], api error AccessDenied: Cannot call GetSessionToken with session credentials

user@hostname ~ % aws sts get-caller-identity

{
    "UserId": "AIDAXXXXXXXXXXXXXXX",
    "Account": "111111111111",
    "Arn": "arn:aws:iam::111111111111:user/some.user@example.com"
}

user@hostname ~ % aws sts get-caller-identity --profile my-1password-profile

{
    "UserId": "AROAXXXXXXXXXXXXXXX:session-name",
    "Account": "222222222222",
    "Arn": "arn:aws:sts::222222222222:assumed-role/MyRole/session-name"
}

Also MFA seems to get out of sync, but resyncing it via console seems to help with that. It's just confusing and annoying that it drifts out of sync in few days hours.

% aws sts get-caller-identity
[ERROR] [timestamp] could not run plugin AWS CLI: failed to provision credentials, encountered error(s):
operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: [request-id], api error AccessDenied: MultiFactorAuthentication failed with invalid MFA one time pass code.

AWS config

user@hostname project-directory % cat ~/.aws/config
[default]
region = eu-west-1
output = json

[profile 1pass-source-profile]
region = eu-west-1
output = json

[profile my-1password-profile]
source_profile = 1pass-source-profile
role_arn       = arn:aws:iam::222222222222:role/MyRole
region         = eu-west-1

op CLI version

2.32.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions