I created a snap called
skuld that allows users of the AWS CLI/SDK to generate temporary credentials with an MFA device and store them in their
.aws/credentials under a an AWS profile to use when calling the AWS API (via the cli or SDK).
skuld itself is a terminal program.
Together with a correct policy in AWS,
skuld can be used to force the usage of an MFA device with the AccessKey/SecretKey credentials.
skuld manipulates the
~/.aws/config files and therefore requires classic confinement. An alternative would be to have an interface to allow access the
~/.aws directory (the
~/.aws interface would useful for all kinds of cli tools and apps that needs AWS credentials).