AWS CLI not honoring MultiFactorAuthAge
So, I discovered the reason for this behavior:
As described in this Github Issue, AWS CLI treats any session within 15min as expired, refreshing the creds automatically (or asking for a new one-time passcode, in case of MFA).
So, setting the session duration for 15min (900s) is basically the same as getting a one-time credential.
I just tested setting the
930 (15min + 30s), and the session is indeed valid for 30 seconds.