aws-vault login always requests MFA

[pda]

Previously, aws-vault login <profile> would request the MFA token once, and subsequent calls within a reasonable time period would not need it. Now (v3.5.0-31-g0acf41f) it requests them every time.

I'm guessing this is a side-effect of #92 so it's perhaps a good trade-off for getting longer AWS console sessions. Figured I'd open an issue in case it's considered a regression or something that can/should be fixed.

$ aws-vault --debug login --stdout PROFILE
2016/09/28 11:38:00 Parsing config file /Users/pda/.aws/config
2016/09/28 11:38:00 Looking up keyring for redacted
2016/09/28 11:38:00 Opening keychain /Users/pda/Library/Keychains/aws-vault.keychain
Enter token for arn:aws:iam::redacted:mfa/redacted: redacted
2016/09/28 11:38:09 Assuming role arn:aws:iam::redacted:role/redacted with iam credentials
2016/09/28 11:38:10 Using role ****************redacted, expires in 14m59.605818512s
2016/09/28 11:38:10 Creating federation login token, expires in 12h0m0s
https://signin.aws.amazon.com/federation?Action=login&Issuer=aws-vault&Destination=redacted...

[lox]

After some thought, I think it is a regression and we should keep the default behaviour like it was. We can add a --no-session like exec has to get the new behaviour. Thoughts?

[bradfeehan]

Maybe use an existing session if found, as long as the requested expiry is inside the limit for session tokens. But use the original IAM credentials if the user has requested a longer time that necessitates using them, or if there's no token found.

[lox]

I guess the thing with that is that it's pretty rare that people will provide non-default ttl's, so want the default to be as sane as possible.

[lox]

Based on our discussion today @pda, the new behaviour is worth the trade-off.