Docs: Research aws-vault usage with instructions for MFA for IAM roles stuff.

[ryan-roemer]

Things like:

$ STAGE=sandbox aws-vault exec <superadmin-user> -- yarn tf:service:apply

Will hit errors like:

14 errors occurred:
	* module.serverless_vpc.aws_iam_policy.developer: 1 error occurred:
	* aws_iam_policy.developer: Error creating IAM policy tf-simple-reference-sandbox-developer-vpc: InvalidClientTokenId: The security token included in the request is invalid
	status code: 403, request id: 2ba766b9-356d-41cb-bc8e-fe5445760c6e

... similar stuff ...

If they are creating/deleting IAM roles from normal aws-vault usage.--no-session gets around this, but underlying issues:

• InvalidClientTokenId error when creating IAM role with vault credentials and terraform 99designs/aws-vault#266
• Credentials not good enough for IAM operations 99designs/aws-vault#455

Task

• Come up with way for MFA to work as normal.
• Document how to apply this for the IAM (or all) commands

[andyrichardson]

Related - #33 (comment)

Official documentation - https://github.com/99designs/aws-vault/blob/master/USAGE.md#not-using-session-credentials

Reading through the usage documentation, I think --no-session is the best option.

[stevenmusumeche]

• the profiles you created with aws-vault are listed with empty config in ~/.aws/config

• under the appropriate profile(s), you can add:

  mfa_serial = arn:aws:iam::ACCOUNTID:mfa/USERNAME

  (for example, mfa_serial = arn:aws:iam::819013376994:mfa/steven.musumeche)

• then, when you execute an aws-vault command, it will prompt for your MFA code first