aws-auth.sh

#!/bin/bash

MFA_ARN=$(aws sts get-caller-identity --query "Arn" --output text | sed -e "s#:user/#:mfa/#")
read -p "Enter MFA Code: " MFA_CODE

read -a CREDS <<< $(aws sts get-session-token --serial-number $MFA_ARN --token-code $MFA_CODE --output text)
export AWS_ACCESS_KEY_ID="${CREDS[1]}"
export AWS_SECRET_ACCESS_KEY="${CREDS[3]}"
export AWS_SECURITY_TOKEN="${CREDS[4]}"
export AWS_SESSION_TOKEN="${CREDS[4]}"

echo "Credentials expiration: ${CREDS[2]}"

credentials

[account1]
aws_access_key_id = AKIAblahblahblah
aws_secret_access_key = some_secret_keyy

[account2]
aws_access_key_id = AKIAblahblahblah2
aws_secret_access_key = some_other_secret_key

enforce-mfa.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllMfa",
            "Effect": "Allow",
            "Action": "*",
            "Resource": [
                "*"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "DenyAllNonMfa",
            "Effect": "Deny",
            "Action": "*",
            "Resource": [
                "*"
            ],
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}