Allow session tokens when MFA set in profile or source_profile

dgholz · Mar 8, 2023 · bc801b6 · bc801b6
1 parent e59d29b
commit bc801b6
Showing 1 changed file with 2 additions and 10 deletions.
diff --git a/vault/vault.go b/vault/vault.go
@@ -309,16 +309,8 @@ func (t *tempCredsCreator) canUseGetSessionToken(c *ProfileConfig) (bool, string
 	}
 
 	if c.IsChained() {
-		if !c.ChainedFromProfile.HasMfaSerial() {
-			return false, fmt.Sprintf("profile '%s' has no MFA serial defined", c.ChainedFromProfile.ProfileName)
-		}
-
-		if !c.HasMfaSerial() && c.ChainedFromProfile.HasMfaSerial() {
-			return false, fmt.Sprintf("profile '%s' has no MFA serial defined", c.ProfileName)
-		}
-
-		if c.ChainedFromProfile.MfaSerial != c.MfaSerial {
-			return false, fmt.Sprintf("MFA serial doesn't match profile '%s'", c.ChainedFromProfile.ProfileName)
+		if !c.HasMfaSerial() && !c.ChainedFromProfile.HasMfaSerial() {
+			return false, fmt.Sprintf("no MFA serial defined in profile %s or source profile %s", c.ChainedFromProfile.ProfileName, c.ProfileName)
 		}
 
 		if c.ChainedFromProfile.AssumeRoleDuration > roleChainingMaximumDuration {