Unable to use terraform with AWS IAM role with MFA configuration

Question

My organisation uses a gateway account for which i have aws credentials.

We also have our personal account, in order to access our personal account users in gateway account assume IAM roles ( created in the personal account).

With such configuration i am trying to create terraform resource but somehow keep on getting error -> Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: xxxxxxx, api error AccessDenied: User: arn:aws:iam::xxxxxx:user/xx-xxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxx2:role/xxxxxx

Here is the provider configuration i am trying.

provider "aws" {
  alias      = "mad"
  profile    = "personal account"
  region     = "ap-south-1"
  assume_role {
    role_arn = "arn:aws:iam::xxxxxxx:role/personal account"
  }
}

Update :- the role uses mfa too. Personal account has trust relationship which allows gatgeway account iam user to assume to role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::gateway-account-id:user/user"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

Answer 1

The user user/xx-xxxxxx which you use to run the TF script which is going to assume role role/xxxxxx must have sts:AssumeRole.

You can add such permission to the user, by adding the following inline policy to it:

{
  "Effect": "Allow",
  "Action": [
    "sts:AssumeRole"
  ],
  "Resource": [
    "arn:aws:iam::xxxxxxx2:role/xxxxxx"
  ]
}

UPDATE

Also for MFA you need to use token option in your provider configuration, or use any of the workarounds provided in TF github issue.