From bc801b670dbbfe36f8f0d6887d2394d209f5ba75 Mon Sep 17 00:00:00 2001
From: Daniel George Holz <dgholz@gmail.com>
Date: Wed, 8 Mar 2023 12:12:14 +0000
Subject: [PATCH] Allow session tokens when MFA set in profile or
 source_profile

---
 vault/vault.go | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/vault/vault.go b/vault/vault.go
index e30843d5f..4f3888120 100644
--- a/vault/vault.go
+++ b/vault/vault.go
@@ -309,16 +309,8 @@ func (t *tempCredsCreator) canUseGetSessionToken(c *ProfileConfig) (bool, string
 	}
 
 	if c.IsChained() {
-		if !c.ChainedFromProfile.HasMfaSerial() {
-			return false, fmt.Sprintf("profile '%s' has no MFA serial defined", c.ChainedFromProfile.ProfileName)
-		}
-
-		if !c.HasMfaSerial() && c.ChainedFromProfile.HasMfaSerial() {
-			return false, fmt.Sprintf("profile '%s' has no MFA serial defined", c.ProfileName)
-		}
-
-		if c.ChainedFromProfile.MfaSerial != c.MfaSerial {
-			return false, fmt.Sprintf("MFA serial doesn't match profile '%s'", c.ChainedFromProfile.ProfileName)
+		if !c.HasMfaSerial() && !c.ChainedFromProfile.HasMfaSerial() {
+			return false, fmt.Sprintf("no MFA serial defined in profile %s or source profile %s", c.ChainedFromProfile.ProfileName, c.ProfileName)
 		}
 
 		if c.ChainedFromProfile.AssumeRoleDuration > roleChainingMaximumDuration {