Switch aws cli to cross account with mfa enabled

There are two parts to this - the ~/.aws/credentials file and the ~/.aws/config file.

Lets say you have an IAM user my-user-id in account 987654321098 and want to assume a role called my-assumed-role in account 0123456789012

The ~/.aws/credentials file contains a profile with the IAM Command Line User credentials - access key id and secret access key - from my-user-id. For example:

[default]
aws_access_key_id=AKIAABCDEFGHIJKLMNOPQR
aws_secret_access_key=SeCrEtKeY
region=ap-southeast-2
output=json

The ~/.aws/config file contains a profile with the ARN of the cross account role and the IAM User's MFA serial number, along with any other session options. For example:

[profile cross-account-role]
role_arn = arn:aws:iam::123456789012:role/my-assumed-role
source_profile = default
mfa_serial = arn:aws:iam::987654321098:mfa/my-user-id
region=ap-southeast-2
s3 = 
    signature_version = s3v4
role_session_name = my-session

To assume the cross account role with the CLI we append the profile of the role from ~/.aws/config e.g. --profile cross-account-role to the command.

As the source_profile is default, it will use the credentials of the IAM user my-user-id with MFA from account 987654321098 to assume the my-assumed-role role in the target account 0123456789012

For example

myuser@myost:~$ aws sts get-caller-identity --profile cross-account-role
Enter MFA code for arn:aws:iam::987654321098:mfa/my-user-id:
{
    "UserId": "AROAABCDEFGHIJKLMNOPQR:my-user-id",
    "Account": "0123456789012",
    "Arn": "arn:aws:sts::0123456789012:assumed-role/my-assumed-role/my-session"
}

The CLI will prompt you to enter your MFA code and then provide the output. The session will last by default for 60 minutes and it is cached. During this time the any further CLI commands will not need to prompt again for a MFA code.