fix: credential method selection and role chaining duration handling

[propilideno]

I closed #87 because the repository left the fork network in the meantime, and that PR got into a deadlock where GitHub was no longer reflecting the real diff/check state correctly.

So I re-forked ByteNess/aws-vault and opened this clean PR with only the final changes.

Introduction

In #75, I fixed the original regression: aws-vault v7 was missing the GetSessionToken step that v6 used before AssumeRole in real MFA role chaining scenarios.

That fix solved the broken role chaining, but while I was trying to improve the behavior afterwards, I ended up mistreating some flows as (chained MFA).

So the real follow-up problem was the credential method selection.

This PR keeps the original role chaining fix from #75, but now uses the right STS method at the right time.

Fixed

• direct role login is no longer treated as (chained MFA)
• flows that are not real role chaining do not go through the chained MFA path anymore
• when a role profile is used as the source_profile of another role profile, aws-vault still does GetSessionToken first and then AssumeRole
• when using --duration, instead of failing, aws-vault now uses that duration to get the source token session and caps chained AssumeRole calls to AWS 1 hour limit

AWS behavior

This implementation follows AWS STS behavior for each credential method.

• GetSessionToken is the STS API AWS provides to obtain MFA-authenticated temporary credentials from IAM user credentials. AWS documents that for IAM users the duration can range from 15 minutes up to 36 hours, with 12 hours as the default. This is the credential method that preserves MFA-authenticated source credentials before the next step in the flow.
  https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
  https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html

• AssumeRole is the STS API AWS uses for the role session itself. AWS documents that DurationSeconds can range from 15 minutes up to the maximum session duration configured on the role, with 1 hour as the default and up to 12 hours depending on the role setting.
  https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

• AWS also documents that role chaining has a hard 1 hour limit for AssumeRole, even if the requested duration is higher. In other words, a longer source session does not change the 1 hour limit for chained role assumptions.
  https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining

• These limits are what drive the behavior in this PR: GetSessionToken and AssumeRole are not interchangeable, and the duration rules are different depending on which STS method is being used.

Tests

The unit tests in this PR are focused on the real bug here: credential method selection.

• TestDirectRoleLoginDoesNotUseGetSessionToken

  • validates direct role login
  • ensures a normal role profile is not treated as (chained MFA)

• TestRoleChainingMfaUsesGetSessionTokenBeforeAssumeRole

  • validates the case where one role profile is used as the source_profile of another role profile with the same MFA device
  • ensures aws-vault does GetSessionToken first and then performs the chained AssumeRole flow

• TestNonRoleChainingFlowDoesNotUseChainedMfaPath

  • validates a flow that is not real role chaining
  • ensures non-role-chaining flows are not incorrectly treated as (chained MFA)

So these tests are checking the exact decision points that caused the regression.

Test results by milestone

Before #75, the original role chaining regression is reproduced by:

--- FAIL: TestRoleChainingMfaUsesGetSessionTokenBeforeAssumeRole (0.00s)
    vault_test.go:241: expected source GetSessionToken then source/target AssumeRole, logs:
        profile target: sourcing credentials from profile source
        profile source: using stored credentials
        profile source: using AssumeRole (with MFA)
        profile target: using AssumeRole (with MFA)

After #75, role chaining is fixed, but the follow-up regression is reproduced by:

--- FAIL: TestDirectRoleLoginDoesNotUseGetSessionToken (0.00s)
    vault_test.go:178: did not expect GetSessionToken for non-chained role profile, logs:
        profile target: using stored credentials
        profile target: using GetSessionToken (with MFA)
        profile target: using AssumeRole (chained MFA)
--- FAIL: TestNonRoleChainingFlowDoesNotUseChainedMfaPath (0.00s)
    vault_test.go:299: did not expect GetSessionToken for role source chained to non-role target, logs:
        profile target: sourcing credentials from profile source
        profile source: using stored credentials
        profile source: skipping GetSessionToken because profile 'target' has no MFA serial defined
        profile source: using GetSessionToken (with MFA)
        profile source: using AssumeRole (chained MFA)
        profile target: using GetSessionToken

With this PR, all three tests pass.

Smoke tests

I also validated this with smoke tests in my own scenarios.

MFA-authenticated IAM user

[profile user]
mfa_serial=arn:aws:iam::***:mfa/***

GetSessionToken accepts up to 36 hours for an MFA-authenticated IAM user session, so 36h works and 37h fails with the expected AWS validation error.

$ ./aws-vault exec user -d 36h --debug
2026/03/21 21:26:17 aws-vault dev
2026/03/21 21:26:17 Using prompt driver: terminal
2026/03/21 21:26:17 Loading config file /home/***/.aws/config
2026/03/21 21:26:17 Parsing config file /home/***/.aws/config
2026/03/21 21:26:17 [keyring] Considering backends: [secret-service]
2026/03/21 21:26:17 profile user: using stored credentials
2026/03/21 21:26:17 profile user: using GetSessionToken (with MFA)
2026/03/21 21:26:17 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
Enter MFA code for arn:aws:iam::***:mfa/***: ******
2026/03/21 21:26:32 Looking up keyring for 'user'
2026/03/21 21:26:32 Generated credentials ****************W763 using GetSessionToken, expires in 35h59m59.158761248s
2026/03/21 21:26:32 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2026/03/21 21:26:32 Setting subprocess env: AWS_SESSION_TOKEN
2026/03/21 21:26:32 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2026/03/21 21:26:32 Starting subshell /bin/zsh, use `exit` to exit the subshell
2026/03/21 21:26:32 Exec command /bin/zsh
2026/03/21 21:26:32 Found executable /bin/zsh

$ ./aws-vault clear
Cleared 1 sessions.

$ ./aws-vault exec user -d 37h --debug
2026/03/21 21:27:02 aws-vault dev
2026/03/21 21:27:02 Using prompt driver: terminal
2026/03/21 21:27:02 Loading config file /home/***/.aws/config
2026/03/21 21:27:02 Parsing config file /home/***/.aws/config
2026/03/21 21:27:02 [keyring] Considering backends: [secret-service]
2026/03/21 21:27:02 profile user: using stored credentials
2026/03/21 21:27:02 profile user: using GetSessionToken (with MFA)
2026/03/21 21:27:02 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
Enter MFA code for arn:aws:iam::***:mfa/***: ******
2026/03/21 21:27:06 Looking up keyring for 'user'
aws-vault: error: exec: Failed to get credentials for user: operation error STS: GetSessionToken, https response error StatusCode: 400, RequestID: ***, api error ValidationError: 1 validation error detected: Value '133200' at 'durationSeconds' failed to satisfy constraint: Member must have value less than or equal to 129600

IAM role

[profile source]
role_arn=arn:aws:iam::***:role/AdminRole
mfa_serial=arn:aws:iam::***:mfa/***

For a direct role login, AssumeRole follows the role duration limit. In this case 12h works and 13h fails with the expected AWS validation error.

$ ./aws-vault exec source --debug -d 12h
2026/03/21 21:31:57 aws-vault dev
2026/03/21 21:31:57 Using prompt driver: terminal
2026/03/21 21:31:57 Loading config file /home/***/.aws/config
2026/03/21 21:31:57 Parsing config file /home/***/.aws/config
2026/03/21 21:31:57 [keyring] Considering backends: [secret-service]
2026/03/21 21:31:57 profile source: using stored credentials
2026/03/21 21:31:57 profile source: using AssumeRole (with MFA)
2026/03/21 21:31:57 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
Enter MFA code for arn:aws:iam::***:mfa/***: ******
2026/03/21 21:32:15 Looking up keyring for 'source'
2026/03/21 21:32:16 Generated credentials ****************KCB2 using AssumeRole, expires in 11h59m59.269248402s
2026/03/21 21:32:16 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2026/03/21 21:32:16 Setting subprocess env: AWS_SESSION_TOKEN
2026/03/21 21:32:16 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2026/03/21 21:32:16 Starting subshell /bin/zsh, use `exit` to exit the subshell
2026/03/21 21:32:16 Exec command /bin/zsh
2026/03/21 21:32:16 Found executable /bin/zsh

$ ./aws-vault clear
Cleared 1 sessions.

$ ./aws-vault exec source --debug -d 13h
2026/03/21 21:32:52 aws-vault dev
2026/03/21 21:32:52 Using prompt driver: terminal
2026/03/21 21:32:52 Loading config file /home/***/.aws/config
2026/03/21 21:32:52 Parsing config file /home/***/.aws/config
2026/03/21 21:32:52 [keyring] Considering backends: [secret-service]
2026/03/21 21:32:52 profile source: using stored credentials
2026/03/21 21:32:52 profile source: using AssumeRole (with MFA)
2026/03/21 21:32:52 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
Enter MFA code for arn:aws:iam::***:mfa/***: ******
2026/03/21 21:33:03 Looking up keyring for 'source'
aws-vault: error: exec: Failed to get credentials for source: operation error STS: AssumeRole, https response error StatusCode: 400, RequestID: ***, api error ValidationError: 1 validation error detected: Value '46800' at 'durationSeconds' failed to satisfy constraint: Member must have value less than or equal to 43200

Role chaining

[profile source]
role_arn=arn:aws:iam::***:role/AdminRole
mfa_serial=arn:aws:iam::***:mfa/***

[profile target]
role_arn=arn:aws:iam::***:role/***
mfa_serial=arn:aws:iam::***:mfa/***
source_profile=source

For role chaining, the source MFA session keeps the requested duration, while both AssumeRole calls are limited to 1 hour.

$ ./aws-vault exec target -d 12h --debug
2026/03/21 21:35:33 aws-vault dev
2026/03/21 21:35:33 Using prompt driver: terminal
2026/03/21 21:35:33 Loading config file /home/***/.aws/config
2026/03/21 21:35:33 Parsing config file /home/***/.aws/config
2026/03/21 21:35:33 [keyring] Considering backends: [secret-service]
2026/03/21 21:35:33 profile target: sourcing credentials from profile source
2026/03/21 21:35:33 profile source: using stored credentials
2026/03/21 21:35:33 profile source: using GetSessionToken (with MFA)
2026/03/21 21:35:33 profile source: capping AssumeRole duration from 12h0m0s to AWS maximum 1h0m0s for role chaining
2026/03/21 21:35:33 profile source: using AssumeRole (chained MFA)
2026/03/21 21:35:33 profile target: capping AssumeRole duration from 12h0m0s to AWS maximum 1h0m0s for role chaining
2026/03/21 21:35:33 profile target: using AssumeRole (chained MFA)
2026/03/21 21:35:33 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
Enter MFA code for arn:aws:iam::***:mfa/***: ******
2026/03/21 21:35:38 Looking up keyring for 'source'
2026/03/21 21:35:39 Generated credentials ****************LW6N using GetSessionToken, expires in 11h59m58.959775242s
2026/03/21 21:35:39 Generated credentials ****************FHZO using AssumeRole, expires in 59m59.268280031s
2026/03/21 21:35:40 Generated credentials ****************5U7Q using AssumeRole, expires in 59m59.620698908s
2026/03/21 21:35:40 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2026/03/21 21:35:40 Setting subprocess env: AWS_SESSION_TOKEN
2026/03/21 21:35:40 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2026/03/21 21:35:40 Starting subshell /bin/zsh, use `exit` to exit the subshell
2026/03/21 21:35:40 Exec command /bin/zsh
2026/03/21 21:35:40 Found executable /bin/zsh

$ ./aws-vault list
Profile                  Credentials              Sessions
=======                  ===========              ========
source                   source                   sts.GetSessionToken:11h59m27s
target                   -                        -

$ ./aws-vault clear
Cleared 1 sessions.

$ ./aws-vault exec target -d 1h --debug
2026/03/21 21:37:25 aws-vault dev
2026/03/21 21:37:25 Using prompt driver: terminal
2026/03/21 21:37:25 Loading config file /home/***/.aws/config
2026/03/21 21:37:25 Parsing config file /home/***/.aws/config
2026/03/21 21:37:25 [keyring] Considering backends: [secret-service]
2026/03/21 21:37:25 profile target: sourcing credentials from profile source
2026/03/21 21:37:25 profile source: using stored credentials
2026/03/21 21:37:25 profile source: using GetSessionToken (with MFA)
2026/03/21 21:37:25 profile source: using AssumeRole (chained MFA)
2026/03/21 21:37:25 profile target: using AssumeRole (chained MFA)
2026/03/21 21:37:25 Setting subprocess env: AWS_REGION=us-east-1, AWS_DEFAULT_REGION=us-east-1
Enter MFA code for arn:aws:iam::***:mfa/***: ******
2026/03/21 21:37:34 Looking up keyring for 'source'
2026/03/21 21:37:35 Generated credentials ****************NFTS using GetSessionToken, expires in 59m59.798928571s
2026/03/21 21:37:35 Generated credentials ****************YNI2 using AssumeRole, expires in 59m59.120085826s
2026/03/21 21:37:36 Generated credentials ****************BR7U using AssumeRole, expires in 59m59.471617761s
2026/03/21 21:37:36 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2026/03/21 21:37:36 Setting subprocess env: AWS_SESSION_TOKEN
2026/03/21 21:37:36 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2026/03/21 21:37:36 Starting subshell /bin/zsh, use `exit` to exit the subshell
2026/03/21 21:37:36 Exec command /bin/zsh
2026/03/21 21:37:36 Found executable /bin/zsh

$ ./aws-vault list
Profile                  Credentials              Sessions
=======                  ===========              ========
source                   source                   sts.GetSessionToken:59m51s
target                   -                        -

Source profile chaining with a role

[profile source]
mfa_serial=arn:aws:iam::***:mfa/***

[profile target]
region = us-east-2
source_profile=source
role_arn=arn:aws:iam::***:role/AdminRole

This is a source-profile chain with a role target, not a role-chaining MFA flow, so it should go directly to AssumeRole.

$ ./aws-vault exec target -d 12h --debug
2026/03/21 21:42:14 aws-vault dev
2026/03/21 21:42:14 Using prompt driver: terminal
2026/03/21 21:42:14 Loading config file /home/***/.aws/config
2026/03/21 21:42:14 Parsing config file /home/***/.aws/config
2026/03/21 21:42:14 [keyring] Considering backends: [secret-service]
2026/03/21 21:42:14 profile target: sourcing credentials from profile source
2026/03/21 21:42:14 profile source: using stored credentials
2026/03/21 21:42:14 profile source: skipping GetSessionToken because profile 'target' has no MFA serial defined
2026/03/21 21:42:14 profile target: using AssumeRole
2026/03/21 21:42:14 Setting subprocess env: AWS_REGION=us-east-2, AWS_DEFAULT_REGION=us-east-2
2026/03/21 21:42:14 Looking up keyring for 'source'
2026/03/21 21:42:14 Generated credentials ****************5EAX using AssumeRole, expires in 11h59m59.008229455s
2026/03/21 21:42:14 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2026/03/21 21:42:14 Setting subprocess env: AWS_SESSION_TOKEN
2026/03/21 21:42:14 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2026/03/21 21:42:14 Starting subshell /bin/zsh, use `exit` to exit the subshell
2026/03/21 21:42:14 Exec command /bin/zsh
2026/03/21 21:42:14 Found executable /bin/zsh

Source profile chaining without a role

[profile source]
mfa_serial=arn:aws:iam::***:mfa/***

[profile target]
region = us-east-2
source_profile=source

This is also not a role-chaining MFA flow. The target does not assume a role, so the result is a plain GetSessionToken session for the target profile.

$ ./aws-vault exec target --debug -d 36h
2026/03/21 21:43:28 aws-vault dev
2026/03/21 21:43:28 Using prompt driver: terminal
2026/03/21 21:43:28 Loading config file /home/***/.aws/config
2026/03/21 21:43:28 Parsing config file /home/***/.aws/config
2026/03/21 21:43:28 [keyring] Considering backends: [secret-service]
2026/03/21 21:43:28 profile target: sourcing credentials from profile source
2026/03/21 21:43:28 profile source: using stored credentials
2026/03/21 21:43:28 profile source: skipping GetSessionToken because profile 'target' has no MFA serial defined
2026/03/21 21:43:28 profile target: using GetSessionToken
2026/03/21 21:43:28 Setting subprocess env: AWS_REGION=us-east-2, AWS_DEFAULT_REGION=us-east-2
2026/03/21 21:43:28 Looking up keyring for 'source'
2026/03/21 21:43:29 Generated credentials ****************OZSX using GetSessionToken, expires in 35h59m59.870906197s
2026/03/21 21:43:29 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2026/03/21 21:43:29 Setting subprocess env: AWS_SESSION_TOKEN
2026/03/21 21:43:29 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2026/03/21 21:43:29 Starting subshell /bin/zsh, use `exit` to exit the subshell
2026/03/21 21:43:29 Exec command /bin/zsh
2026/03/21 21:43:29 Found executable /bin/zsh

Related

• follow-up to fix(rolechaining): add missing MFA auth logic for session creds #75
• supersedes fix: credential method selection for chained vs non-chained MFA #87
• fixes bug: 12 hour sessions no longer working when assuming role #290
• related to Any chance we get role chaining working again? #67
• related to Role Chaining with source_identity broken in v7? 99designs/aws-vault#1251

[propilideno]

I did a rebase and force-pushed signed commits to pass on the pipeline verification.

[mbevc1]

Thanks @propilideno . I'll try again my chain assume roles that were regressing last time and get back to you. One small comment; could oyu perhaps add a test for the duration cap behavior. The three unit tests cover method selection, but there's no test asserting that a chained AssumeRole duration is capped to 1 hour when a longer duration is requested. The smoke test confirms it works manually, but a unit/integration test here would make the cap logic regression-proof going forward.

[propilideno]

Hey @mbevc1.
Of course, i agree with you. So i'll implement it now.

[propilideno]

Before #333

--- FAIL: TestRoleChainingCapsAssumeRoleDurationToOneHour (0.00s)
    vault_test.go:359: expected source AssumeRole duration to be capped to 1h, got 12h0m0s
FAIL
FAIL    github.com/byteness/aws-vault/v7/vault  0.017s
FAIL

After #333

=== RUN   TestRoleChainingCapsAssumeRoleDurationToOneHour
2026/03/22 17:59:55 Parsing config file /tmp/aws-config2398993536
2026/03/22 17:59:55 Profile 'default' missing in config file
2026/03/22 17:59:55 Profile 'default' missing in config file
--- PASS: TestRoleChainingCapsAssumeRoleDurationToOneHour (0.00s)
PASS

[mbevc1]

Hi @propilideno and thanks for adding the tests. I've re-tested my role chaining and it's still breaking and keep asking for MFA like here: #87 (comment)

2026/03/25 22:21:18 Re-using cached credentials ****************XXX2 from sts.GetSessionToken, expires in 7h55m7.660000103s
aws-vault: error: login: operation error STS: AssumeRole, get identity: get credentials: operation error STS: AssumeRole, get identity: get credentials: operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: 42e96adc-6fae-4714-a144-5afa4604a7c2, api error AccessDenied: Cannot call GetSessionToken with session credentials

[propilideno]

Hi @propilideno and thanks for adding the tests. I've re-tested my role chaining and it's still breaking and keep asking for MFA like here: #87 (comment)

2026/03/25 22:21:18 Re-using cached credentials ****************XXX2 from sts.GetSessionToken, expires in 7h55m7.660000103s
aws-vault: error: login: operation error STS: AssumeRole, get identity: get credentials: operation error STS: AssumeRole, get identity: get credentials: operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: 42e96adc-6fae-4714-a144-5afa4604a7c2, api error AccessDenied: Cannot call GetSessionToken with session credentials

Hey @mbevc1,
Can you share your profile configuration related to this test? Redact any sensitive information, i just need it to replicate the setup.

[mbevc1]

Sure, this is config I'm testing with:

[profile sso]
region=eu-west-1
duration_seconds=43200

[profile admin]
role_arn=arn:aws:iam::yyyyyyyyyyyy:role/AdministrativeUser
region=eu-west-1
source_profile=sso
role_session_name=user
duration_seconds=43200

[profile t1a]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/User
role_session_name=user
region=eu-west-1
source_profile=admin
duration_seconds=43200

And running aws-vault login t1a.

[mbevc1]

Let's address the role chaining issue before we merge this. Thanks for your effort @propilideno

[propilideno]

Hey @mbevc1,
I tested with the profile chain you shared and, in my local repro, it is working properly. From the config you pasted alone I’m not hitting the GetSessionToken path, so I suspect there may be some inherited config involved, like the [default].
Could you share if there is any relevant config there, and if possible:

1. send the full ./aws-vault clear && ./aws-vault login t1a --debug output
2. the ./aws-vault list including only the lines with the profiles you shared with me, like in the example below

My tests

[default]
region=us-east-1
output=json

[profile sso]
region=us-east-2
duration_seconds=7200

[profile admin]
source_profile=sso
role_arn=arn:aws:iam::yyyyyyyyyyyy:role/AdministrativeUser
region=us-east-2
role_session_name=user
duration_seconds=7200

[profile t1a]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/User
region=us-east-2
source_profile=admin
role_session_name=user
duration_seconds=7200

$ ./aws-vault list                  
Profile                  Credentials              Sessions                 
=======                  ===========              ========                 
default                  -                        -                        
sso                      sso                      -                        
admin                    -                        -                        
t1a                      -                        -                        

$ ./aws-vault clear && ./aws-vault login t1a --debug
Cleared 0 sessions.
2026/04/03 15:32:54 aws-vault dev
2026/04/03 15:32:54 Using prompt driver: terminal
2026/04/03 15:32:54 [keyring] Considering bssoends: [secret-service]
2026/04/03 15:32:54 Loading config file /home/propi/.aws/config
2026/04/03 15:32:54 Parsing config file /home/propi/.aws/config
2026/04/03 15:32:54 profile t1a: sourcing credentials from profile admin
2026/04/03 15:32:54 profile admin: sourcing credentials from profile sso
2026/04/03 15:32:54 profile sso: using stored credentials
2026/04/03 15:32:54 profile sso: skipping GetSessionToken because profile 'admin' has no MFA serial defined
2026/04/03 15:32:54 profile admin: skipping GetSessionToken because profile 't1a' has no MFA serial defined
2026/04/03 15:32:54 profile admin: using AssumeRole 
2026/04/03 15:32:54 profile t1a: capping AssumeRole duration from 2h0m0s to AWS maximum 1h0m0s for role chaining
2026/04/03 15:32:54 profile t1a: using AssumeRole 
2026/04/03 15:32:54 Looking up keyring for 'sso'
2026/04/03 15:32:55 Generated credentials ****************YB6C using AssumeRole, expires in 1h59m58.955674482s
2026/04/03 15:32:55 Generated credentials ****************POEL using AssumeRole, expires in 59m59.268598411s
2026/04/03 15:32:55 Requesting a signin token for session expiring in 59m59.268558937s

[mbevc1]

So there is [default] as well (not sure if will have any effect) and is the following:

[default]
region=eu-west-1
sts_regional_endpoints=regional
mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/mfaX
output=json