On , I learnt ...

How to use AWS profiles that require MFA

If you have an AWS organisation and several child AWS accounts that you can assume-role into, you can work around MFA restrictions on the trust relationship using a mfa_serial setting in ~/.aws/config.

Example config:

[profile parent]
# Account ID 111111111111
region = eu-west-2

[profile child-account1]
# Account ID 222222222222
role_arn = arn:aws:iam::222222222222:role/OrganizationAccountAccessRole
mfa_serial = arn:aws:iam::111111111111:mfa/david.winterbottom
region = eu-west-1
source_profile = parent 

[profile child-account2]
# Account ID 333333333333
role_arn = arn:aws:iam::333333333333:role/OrganizationAccountAccessRole
mfa_serial = arn:aws:iam::111111111111:mfa/david.winterbottom
region = eu-west-1
source_profile = parent 

Then you can make aws CLI calls into the child accounts and you’ll be prompted to enter your MFA code from your parent account IAM user.

$ aws --profile=child-account1 ec2 describe-instances
Enter MFA code for arn:aws:iam::111111111111:mfa/david.winterbottom:
{ 
    ...
}

You can find your mfa_serial string in the IAM dashboard.

More info: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa