External MFA to issue TOTP not supported #566
Description
op CLI version
2.32.0
Goal or desired behavior
Use the shell plugin with MFA but with a 3rd party TOTP provider (e.g yubikey).
Not being locked into 1password as OTP provider.
Current behavior
It is not possible to issue OTP from within an external hardware token using 1 password.
This is also referenced in official forums of 1 password, seemingly was possible in the past:
https://www.1password.community/discussions/developers/aws-cli-plugin-is-not-supporting-external-otp-anymore/97110
The sourcecode explicitly mentions this behavior as well:
shell-plugins/plugins/aws/sts_provisioner.go
Line 232 in 49810df
Relevant log output
user@mac ~ % aws s3 ls
[ERROR] 2025/12/16 09:02:43 could not run plugin AWS CLI: failed to provision credentials, encountered error(s):
MFA failed: MFA serial "arn:aws:iam::111122223333:mfa/user" was detected on the associated item or in the config file for the selected profile, but no 'One-Time Password' field was found.
Learn how to add an OTP field to your item:
https://developer.1password.com/docs/cli/shell-plugins/aws/#optional-set-up-multi-factor-authentication