I created a snap called skuld that allows users of the AWS CLI/SDK to generate temporary credentials with an MFA device and store them in their .aws/credentials under a an AWS profile to use when calling the AWS API (via the cli or SDK). skuld itself is a terminal program.
Together with a correct policy in AWS, skuld can be used to force the usage of an MFA device with the AccessKey/SecretKey credentials.
skuld manipulates the ~/.aws/credentials and ~/.aws/config files and therefore requires classic confinement. An alternative would be to have an interface to allow access the ~/.aws directory (the ~/.aws interface would useful for all kinds of cli tools and apps that needs AWS credentials).
@jdstrand This sounds like a good fit for that new interface we discussed in the sprint last week, that would allow access to specific directories, but only after review.
@stanhbb Do you have a link for the project and source code?