https://github.com/broamski/aws-mfa
    The concept behind aws-mfa is that there are 2 types of credentials:
        long-term - Your typcial AWS access keys, consisting of an
            AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
        short-term - A temporary set of credentials that are generated by AWS STS using your long-term credentials
            in combination with your MFA device serial number
            (either a hardware device serial number or virtual device ARN) and one time token code.
            Your short term credentials are the credentials that are actively utilized by the AWS SDK in use.

need to read
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html
    
ERROR - An error occured while calling assume role: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation:
    The security token included in the request is invalid.

2021
https://bobbyhadz.com/blog/aws-cli-security-token-included-request-invalid
  1. Check the security credentials validity in IAM console (https://us-east-1.console.aws.amazon.com)
     https://us-east-1.console.aws.amazon.com/iam/home#/security_credentials

  ???
     ~/.aws/credentials
     check [default-development] profile
  https://aws.amazon.com/premiumsupport/knowledge-center/sts-iam-token-expired/
     !!! need to read