Reuse cached MFA credentials for generating role credentials

[joedenniss]

Given an ~/.aws/config file that looks like this:

[profile base]
mfa_serial = arn:aws:iam::123456789012:mfa/device

[profile role1]
source_profile = base
role_arn = arn:aws:iam::234567890123:role/role1

[profile role2]
source_profile = base
role_arn = arn:aws:iam::345678901234:role/role2

It would be great if granted could reuse the MFA-authenticated temporary credentials generated for the base profile in the following two scenarios:

• Assuming another role which uses the same source profile
• Assuming a role where the role credentials have expired but the temporary credentials generated for the source profile are still valid

In this specific example, this would mean the following:

• If I run assume role2 having already run assume role1 and the temporary credentials generated for the source profile have not yet expired, I do not have to enter a new MFA token.
• If I run assume role1 and the credentials for role1 have expired but the temporary credentials generated for the source profile have not yet expired, granted automatically generates new credentials for role1 from the same set of temporary credentials without re-prompting for MFA.

In practice, I have many profiles which all extend from the same source profile and having to enter an MFA token for each one of them is quite cumbersome. I also have to re-enter an MFA token every hour when assuming any of these roles because the role session duration is 1 hour, even though the temporary MFA-authenticated credentials generated for the source profile are valid for 12 hours.

Both of these caching behaviours are implemented by awsume and it would be great to have feature parity with that.