AWS has recently added a feature to allow multiple MFA methods for individual IAM users. Now you can have multiple MFA methods associated with the user, the mfa_serial entry no longer follows the mfa_serial=arn:aws:iam::<acc_id>:mfa/<your.aws.username> format anymore. This hasn't had any negative effects on the usage of aws-vault, but some of the documentation is now out of date.

I would be interested on how to make aws-vault work with FIDO2 (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_fido.html#enable-fido-mfa-for-own-iam-user). Does anyone have a clue?

Is this fixed by #1101 ?

IMHO, #1101 is about TOTP and not FIDO2. So unfortunately is not fixed.

I think #1101 fixes this issue; for example, by deleting the text

you can usually derive it pretty easily using the format arn:aws:iam::[account-id]:mfa/[your-iam-username]

Could you provide an example of a working setup?

@kforsthoevel this issue is about updating the docs for aws-vault now that users can have more than one MFA device (which might be a physical device, or something virtual).

Because this issue is about multiple MFA devices, it's not the right place to ask for advice about using FIDO2 devices with aws-vault.

Hi,

The docs really need to be updates with concrete examples of how to configure things from scratch for a user without having the specify the AWS access / secret keys and using MFA instead. I've done this previously with a 6.x version a long time ago, but I can't seem to get it to work at all right now. It keeps asking for the keys instead.