Prompt for MFA token for users

I understand that I can script this process, I guess my question is why boto3 doesn’t do this automatically?

I’m in the process of trying to script around this exact problem myself so the answer to this question is relevant for my use-case as I’m finding myself trying to determine how to perform the following workflow:

context:

• we have several accounts
  • one’s $HOME/.aws/credentials usually contains a few accounts IE:

[default]
aws_access_key_id...
aws_secret_access_key...

[org1-admin]
aws_access_key_id...
aws_secret_access_key...
mfa_serial...

[org2-admin]
aws_access_key_id...
aws_secret_access_key...

[org3-admin]
aws_access_key_id...
aws_secret_access_key...
...

• one of these accounts (org1-admin as noted by the presence of mfa_serial) uses sub-accounts so there’s a config
  • The contents of the $HOME/.aws/config defines profiles under one of the aforementioned specified accounts:

[profile gen3-prod]
role_arn = ...
source_profile = org3-admin

[profile gen3-preprod]
role_arn = ...
source_profile = org3-admin

[profile gen3-dev]
role_arn = ...
source_profile = org3-admin

So the problem:

We have an inventory CLI tool which needs to do resource querying. The problem is that MFA was recently set to forced for only one of the main accounts org1-admin. The CLI tool needs to be able to ask the CLI admin for their MFA token if the CLI tool is querying against org1-admin resources and then assume an sts role just for that account. That’s fine. The problem is that there is no reason for the script to attempt to query for MFA until it’s necessary (when it needs to seek resources from org1-admin).

Since boto doesn’t seem to be intelligent enough to notice when an account requires MFA for authorization, I need to code this in. My main problem is that I’m not really sure how to introspect the boto3 object to see if mfa_serial exists.