ssm start-session with -profile doens't ask for MFA

[daknhh]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [ x] I've gone though the User Guide and the API reference
• [ x] I've searched for previous similar issues and didn't find any solution

Describe the bug
When invoke aws start-session with profile which needs MFA the following error occur:

----------ERROR-------
Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: error while creating new KMS service, Error creating new aws sdk session AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

SDK version number
aws-cli/2.0.61 Python/3.7.4 Darwin/20.5.0 exe/x86_64

Platform/OS/Hardware/Device
MacOS Big Sur 11.4

To Reproduce (observed behavior)
Invoke aws ssm start-session --target xxx --profile xxx with a profile which has MFA configured

Expected behavior
When invoking aws ssm start-session --target xxx --profile xxx with a profile which has MFA configured - the cli should ask for MFA.

Logs/output
2021-06-11 09:39:23,954 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.0.61 Python/3.7.4 Darwin/20.5.0 exe/x86_64
2021-06-11 09:39:23,954 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['ssm', 'start-session', '--target', 'i-0d30dfbbbe23dd2a8', '--profile', '', '--debug']
2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7f8af88c28c0>
2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f8ac8898ef0>
2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7f8af890f4d0>
2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7f8ac8818200>
2021-06-11 09:39:23,954 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f8ac88cff80>
2021-06-11 09:39:23,955 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2021-06-11 09:39:23,960 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2021-06-11 09:39:23,961 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f8af87709e0>
2021-06-11 09:39:23,961 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7f8af8714710>
2021-06-11 09:39:23,979 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/ssm/2014-11-06/service-2.json
2021-06-11 09:39:23,998 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ssm: calling handler <function add_custom_start_session at 0x7f8af88e2050>
2021-06-11 09:39:23,998 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ssm: calling handler <function add_waiters at 0x7f8af88d1560>
2021-06-11 09:39:24,017 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/ssm/2014-11-06/waiters-2.json
2021-06-11 09:39:24,017 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('target', <awscli.arguments.CLIArgument object at 0x7f8ad047b690>), ('document-name', <awscli.arguments.CLIArgument object at 0x7f8ad047b9d0>), ('parameters', <awscli.arguments.CLIArgument object at 0x7f8ad047b950>)])
2021-06-11 09:39:24,017 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_streaming_output_arg at 0x7f8af88c4a70>
2021-06-11 09:39:24,017 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_cli_input_json at 0x7f8ac88d49e0>
2021-06-11 09:39:24,018 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_cli_input_yaml at 0x7f8ac88d4c20>
2021-06-11 09:39:24,018 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function unify_paging_params at 0x7f8af872dcb0>
2021-06-11 09:39:24,037 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/ssm/2014-11-06/paginators-1.json
2021-06-11 09:39:24,037 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_generate_skeleton at 0x7f8af88239e0>
2021-06-11 09:39:24,037 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ssm.start-session: calling handler <function add_auto_prompt at 0x7f8af890d680>
2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ssm.start-session: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7f8ad047ba90>>
2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ssm.start-session: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7f8ad0458610>>
2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ssm.start-session: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f8ad0487cd0>>
2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ssm.start-session: calling handler <bound method AutoPromptArgument.override_required_args of <awscli.customizations.autoprompt.AutoPromptArgument object at 0x7f8ad048dc50>>
2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.target: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0>
2021-06-11 09:39:24,038 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.ssm.start-session: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f8ac8891d10>
2021-06-11 09:39:24,039 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'i-0d30dfbbbe23dd2a8' for parameter "target": 'i-0d30dfbbbe23dd2a8'
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.document-name: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.parameters: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.cli-input-yaml: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ssm.start-session.cli-auto-prompt: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f8af8996ed0>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event calling-command.ssm.start-session: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7f8ad047ba90>>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event calling-command.ssm.start-session: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7f8ad0458610>>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event calling-command.ssm.start-session: calling handler <bound method GenerateCliSkeletonArgument.generate_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f8ad0487cd0>>
2021-06-11 09:39:24,039 - MainThread - botocore.hooks - DEBUG - Event calling-command.ssm.start-session: calling handler <bound method AutoPromptArgument.auto_prompt_arguments of <awscli.customizations.autoprompt.AutoPromptArgument object at 0x7f8ad048dc50>>
2021-06-11 09:39:24,039 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2021-06-11 09:39:24,039 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2021-06-11 09:39:24,040 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2021-06-11 09:39:24,040 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2021-06-11 09:39:24,042 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2021-06-11 09:39:24,042 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/endpoints.json
2021-06-11 09:39:24,048 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f8ac8386560>
2021-06-11 09:39:24,051 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.ssm: calling handler <function add_generate_presigned_url at 0x7f8ac8312c20>
2021-06-11 09:39:24,078 - MainThread - botocore.endpoint - DEBUG - Setting ssm timeout as (60, 60)
2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.ssm.StartSession: calling handler <function base64_decode_input_blobs at 0x7f8af890f560>
2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.ssm.StartSession: calling handler <function generate_idempotent_uuid at 0x7f8ac838d200>
2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event before-call.ssm.StartSession: calling handler <function inject_api_version_header_if_needed at 0x7f8ac8391a70>
2021-06-11 09:39:24,079 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=StartSession) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'X-Amz-Target': 'AmazonSSM.StartSession', 'Content-Type': 'application/x-amz-json-1.1', 'User-Agent': 'aws-cli/2.0.61 Python/3.7.4 Darwin/20.5.0 exe/x86_64 command/ssm.start-session'}, 'body': b'{"Target": "i-0d30dfbbbe23dd2a8"}', 'url': 'https://ssm.eu-central-1.amazonaws.com/', 'context': {'client_region': 'eu-central-1', 'client_config': <botocore.config.Config object at 0x7f8ab8147d90>, 'has_streaming_input': False, 'auth_type': None}}
2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event request-created.ssm.StartSession: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f8ab8147c50>>
2021-06-11 09:39:24,079 - MainThread - botocore.hooks - DEBUG - Event choose-signer.ssm.StartSession: calling handler <function set_operation_specific_signer at 0x7f8ac8381290>
2021-06-11 09:39:24,080 - MainThread - botocore.credentials - DEBUG - Credentials for role retrieved from cache.
2021-06-11 09:39:24,081 - MainThread - botocore.credentials - DEBUG - Retrieved credentials will expire at: 2021-06-11 08:09:03+00:00
2021-06-11 09:39:24,081 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2021-06-11 09:39:24,081 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-amz-json-1.1
host:ssm.eu-central-1.amazonaws.com
x-amz-date:20210611T073924Z
x-amz-security-token:IQoJb3JpZ2luX2VjEP///////////wEaDGV1LWNlbnRyYWwtMSJGMEQCIH9AajDr9UhCnOWksDEkZn+IjM9ON1yp68fnHzdwDq7VAiAS+FqhVTqCPlIi5zyQ1Hpw+nRUdW53Tm5oSvoZgrlhZSqxAgi4//////////8BEAEaDDQyNTg2NjQxMTY0MCIMYb92ERRZ0rIek0mGKoUClfNlMdPPwRAgcNPwMsFCoTFuFFueKDKEzfOEeC2AyQ79lKwLR3IBF72coU9lKHVX5n2xcXsjGUsrdhoTJyY4vjhmCq6FsQeX+9OozvkDUYW+kt7OfUHwn0CWgRomqo3UesHjGMkGSJ+6rFaIc8uQ94r/xoBuqWGuf4L+LOy5x83tOfmnN47+S4hqsarZz39EgButLFocVPuqFRlSp4D+KTl0JyvzxlS7SZvxnXUtjwA5r8+bmeGvx+Adq0X8XXlrZ9UDE+09RNzP65lLu65CPBJwba80B/nG+u7mX1b1e/CZacdE1l7UXWPxfaVhYECzFiyK0TlN4k/CBEpWIlbLgViXlZyzMI+YjIYGOp4BL0G5wSZYzsXF0BUQ8v8/gVNoCxKQsjcJ/Dq79pUY93T0y281M/F/U5lZr2Q/HuJ5IHKLocJL7GERS8+HO4IOPvXLRjABIU32bfvTP793Gvh4RXgxV7jB4DFf7aUEMfeJ1McHIjwQdlBmKXRmem/thoxv8q3FH+hFCVpOV5IYJtllGR3Z4IGGwZhqoKHcR+SpmVxZGjJTBJY9GgGWTlE=
x-amz-target:AmazonSSM.StartSession

content-type;host;x-amz-date;x-amz-security-token;x-amz-target
f079276a5befeb78b7ec122fdbf1d6ffa4f34baac7926520fd8f222d3b461724
2021-06-11 09:39:24,081 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20210611T073924Z
20210611/eu-central-1/ssm/aws4_request
59e63d91428728ac2d943df17eacd5813d8926b622214db2fca8c685ed06ba60
2021-06-11 09:39:24,081 - MainThread - botocore.auth - DEBUG - Signature:
e777dcfe08b09643af02345b2ae8499c079feeab78e3bc287291a49115344d3c
2021-06-11 09:39:24,082 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://ssm.eu-central-1.amazonaws.com/, headers={'X-Amz-Target': b'AmazonSSM.StartSession', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'aws-cli/2.0.61 Python/3.7.4 Darwin/20.5.0 exe/x86_64 command/ssm.start-session', 'X-Amz-Date': b'20210611T073924Z', 'X-Amz-Security-Token': b'IQoJb3JpZ2luX2VjEP///////////wEaDGV1LWNlbnRyYWwtMSJGMEQCIH9AajDr9UhCnOWksDEkZn+IjM9ON1yp68fnHzdwDq7VAiAS+FqhVTqCPlIi5zyQ1Hpw+nRUdW53Tm5oSvoZgrlhZSqxAgi4//////////8BEAEaDDQyNTg2NjQxMTY0MCIMYb92ERRZ0rIek0mGKoUClfNlMdPPwRAgcNPwMsFCoTFuFFueKDKEzfOEeC2AyQ79lKwLR3IBF72coU9lKHVX5n2xcXsjGUsrdhoTJyY4vjhmCq6FsQeX+9OozvkDUYW+kt7OfUHwn0CWgRomqo3UesHjGMkGSJ+6rFaIc8uQ94r/xoBuqWGuf4L+LOy5x83tOfmnN47+S4hqsarZz39EgButLFocVPuqFRlSp4D+KTl0JyvzxlS7SZvxnXUtjwA5r8+bmeGvx+Adq0X8XXlrZ9UDE+09RNzP65lLu65CPBJwba80B/nG+u7mX1b1e/CZacdE1l7UXWPxfaVhYECzFiyK0TlN4k/CBEpWIlbLgViXlZyzMI+YjIYGOp4BL0G5wSZYzsXF0BUQ8v8/gVNoCxKQsjcJ/Dq79pUY93T0y281M/F/U5lZr2Q/HuJ5IHKLocJL7GERS8+HO4IOPvXLRjABIU32bfvTP793Gvh4RXgxV7jB4DFf7aUEMfeJ1McHIjwQdlBmKXRmem/thoxv8q3FH+hFCVpOV5IYJtllGR3Z4IGGwZhqoKHcR+SpmVxZGjJTBJY9GgGWTlE=', 'Authorization': b'AWS4-HMAC-SHA256 Credential=ASIAWGJ45XZ4ABE5JLAS/20210611/eu-central-1/ssm/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=e777dcfe08b09643af02345b2ae8499c079feeab78e3bc287291a49115344d3c', 'Content-Length': '33'}>
2021-06-11 09:39:24,082 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): ssm.eu-central-1.amazonaws.com:443
2021-06-11 09:39:24,265 - MainThread - urllib3.connectionpool - DEBUG - https://ssm.eu-central-1.amazonaws.com:443 "POST / HTTP/1.1" 200 709
2021-06-11 09:39:24,265 - MainThread - botocore.parsers - DEBUG - Response headers: {'Server': 'Server', 'Date': 'Fri, 11 Jun 2021 07:39:24 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '709', 'Connection': 'keep-alive', 'x-amzn-RequestId': '0f2f95cc-5bff-4f13-b787-7e74b0ccdfb4'}
2021-06-11 09:39:24,266 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"SessionId":"botocore-session-1623395335-02005be411911dee8","StreamUrl":"wss://ssmmessages.eu-central-1.amazonaws.com/v1/data-channel/botocore-session-1623395335-02005be411911dee8?role=publish_subscribe","TokenValue":"AAEAAYTRawIEEiBMt1E8pxidhFV94kZiUMRr18tDEcnRIlRcAAAAAGDDEyz1RaAGAxztDpsdE1P+hhuUqv4MlRa3wwCNxewi5YeL5RY+anAjjMOiReb29dI0oMfjHLn7hNlmN4AcweRu6Pcdi3UozHZc8FA3jNT+PxsWzIAwLcG7wBDWE6Zl+ryeX3p6KQNb9pgYG7lkubL8LVeIeVxdQz1ND5IdchD4KTSuO4gggqN9Q1Pi3Cts+n9qIkjC5jnFqghZhHhzvtEGxromqJGQ9sm4esHqVqXGG2Y0J0AP3eupjm4jD7o15duvuyxDzY9CAUsWVymEqvTbm4K+pCVhfN0SKXYYxxUHfmClKaTdXZfgZ8trnQ7gaaLVGTFsmLRo3atPvuR4CxbmyfrP7+qpVm+W7uLnjaaxlGrNJfu9BxaRq3yubxRM3VJM7Q6pr5xXsJFnec2xkZGfhhIKhqouWrQvdDDmQkRFObSHWA=="}'
2021-06-11 09:39:24,266 - MainThread - botocore.hooks - DEBUG - Event needs-retry.ssm.StartSession: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7f8ab8196650>>
2021-06-11 09:39:24,266 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2021-06-11 09:39:24,266 - MainThread - botocore.hooks - DEBUG - Event after-call.ssm.StartSession: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7f8ab81960d0>>

Starting session with SessionId: botocore-session-1623395335-02005be411911dee8

SessionId: botocore-session-1623395335-02005be411911dee8 :
----------ERROR-------
Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: error while creating new KMS service, Error creating new aws sdk session AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

[kirnberger1980]

We are also facing the issue. Please fix it.

[daknhh]

Workaround - use awsume bevor invoke aws ssm start-session ;)

[goyertp]

Same issue here.
Workaround: awsume solves this problem.

[kdaily]

Hi @daknhh,

Thanks for the report. I'll look into it some more, but it looks like this is not currently supported by the CLI customization for the Session Manager.

[daknhh]

Hi @kdaily - thanks for taking care of it. I hope this feature will be released soon.