• I am using the latest release of AWS Vault
  • Was using 6.6.0, checked changelog, couldn't find an explicit fix for this, but maybe #1052 fixes it
• .aws/config
  • A minimal config with mfa_serial referring to a TOTP device (YubiKey)

Used aws-vault rotate $PROFILE

• Successfully creates a new access key
• Successfully stores new key
• Fails to re-authenticate and deprecate / delete old key

Error indicates invalid MFA ; the initial session and the subsequent session with the new key both occur within the same TOTP window, so the same code is used twice which is not permitted.

Error breaks the loop of the rotate command, so this then leaves the old key active.

Perhaps

• Poll MFA device until new token is available (maybe a bit brutish)
• Impose a longer window between key creation and deprecation when MFA is involved
  • Maybe have some kind of MFA resource pool to keep track of last time each MFA was used?
• Retry (see "maybe #1052 fixes this")

probably should just check that we get a different MFA token inputted 2nd time around

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.