diff --git a/cli/exec.go b/cli/exec.go
index 0e354e770..4882f510c 100644
--- a/cli/exec.go
+++ b/cli/exec.go
@@ -172,7 +172,7 @@ func ExecCommand(input ExecCommandInput, f *vault.ConfigFile, keyring keyring.Ke
 		return 0, fmt.Errorf("Error loading config: %w", err)
 	}
 
-	credsProvider, err := vault.NewTempCredentialsProvider(config, &vault.CredentialKeyring{Keyring: keyring}, !input.NoSession)
+	credsProvider, err := vault.NewTempCredentialsProvider(config, &vault.CredentialKeyring{Keyring: keyring}, input.NoSession)
 	if err != nil {
 		return 0, fmt.Errorf("Error getting temporary credentials: %w", err)
 	}
diff --git a/cli/export.go b/cli/export.go
index 2f31ef445..9cbf5a298 100644
--- a/cli/export.go
+++ b/cli/export.go
@@ -96,7 +96,7 @@ func ExportCommand(input ExportCommandInput, f *vault.ConfigFile, keyring keyrin
 	}
 
 	ckr := &vault.CredentialKeyring{Keyring: keyring}
-	credsProvider, err := vault.NewTempCredentialsProvider(config, ckr, !input.NoSession)
+	credsProvider, err := vault.NewTempCredentialsProvider(config, ckr, input.NoSession)
 	if err != nil {
 		return fmt.Errorf("Error getting temporary credentials: %w", err)
 	}
diff --git a/cli/login.go b/cli/login.go
index a9006ca6e..3447f4a9e 100644
--- a/cli/login.go
+++ b/cli/login.go
@@ -106,7 +106,7 @@ func LoginCommand(input LoginCommandInput, f *vault.ConfigFile, keyring keyring.
 		ckr := &vault.CredentialKeyring{Keyring: keyring}
 		if config.HasRole() || config.HasSSOStartURL() || config.HasCredentialProcess() || config.HasWebIdentity() {
 			// If AssumeRole or sso.GetRoleCredentials isn't used, GetFederationToken has to be used for IAM credentials
-			credsProvider, err = vault.NewTempCredentialsProvider(config, ckr, !input.NoSession)
+			credsProvider, err = vault.NewTempCredentialsProvider(config, ckr, input.NoSession)
 		} else {
 			credsProvider, err = vault.NewFederationTokenCredentialsProvider(context.TODO(), input.ProfileName, ckr, config)
 		}
diff --git a/cli/rotate.go b/cli/rotate.go
index bf2384fca..cf6cc5c60 100644
--- a/cli/rotate.go
+++ b/cli/rotate.go
@@ -51,7 +51,6 @@ func ConfigureRotateCommand(app *kingpin.Application, a *AwsVault) {
 }
 
 func RotateCommand(input RotateCommandInput, f *vault.ConfigFile, keyring keyring.Keyring) error {
-	// Can't disable sessions completely, might need to use session for MFA-Protected API Access
 	vault.UseSessionCache = false
 
 	configLoader := vault.NewConfigLoader(input.Config, f, input.ProfileName)
@@ -87,7 +86,8 @@ func RotateCommand(input RotateCommandInput, f *vault.ConfigFile, keyring keyrin
 	if input.NoSession {
 		credsProvider = vault.NewMasterCredentialsProvider(ckr, config.ProfileName)
 	} else {
-		credsProvider, err = vault.NewTempCredentialsProvider(config, ckr, !input.NoSession)
+		// Can't always disable sessions completely, might need to use session for MFA-Protected API Access
+		credsProvider, err = vault.NewTempCredentialsProvider(config, ckr, input.NoSession)
 		if err != nil {
 			return fmt.Errorf("Error getting temporary credentials: %w", err)
 		}
diff --git a/vault/vault.go b/vault/vault.go
index 1f9ff7722..c7f58f734 100644
--- a/vault/vault.go
+++ b/vault/vault.go
@@ -230,9 +230,9 @@ func FindMasterCredentialsNameFor(profileName string, keyring *CredentialKeyring
 }
 
 type tempCredsCreator struct {
-	// UseSession will disable the use of GetSessionToken when set to false
-	UseSession bool
-	Keyring    *CredentialKeyring
+	// DisableSessions will disable the use of GetSessionToken when set to true
+	DisableSessions bool
+	Keyring         *CredentialKeyring
 
 	chainedMfa string
 }
@@ -303,7 +303,7 @@ func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.Cre
 
 // canUseGetSessionToken determines if GetSessionToken should be used, and if not returns a reason
 func (t *tempCredsCreator) canUseGetSessionToken(c *ProfileConfig) (bool, string) {
-	if !t.UseSession {
+	if t.DisableSessions {
 		return false, "sessions are disabled"
 	}
 
@@ -339,10 +339,10 @@ func mfaDetails(mfaChained bool, config *ProfileConfig) string {
 }
 
 // NewTempCredentialsProvider creates a credential provider for the given config
-func NewTempCredentialsProvider(config *ProfileConfig, keyring *CredentialKeyring, useSession bool) (aws.CredentialsProvider, error) {
+func NewTempCredentialsProvider(config *ProfileConfig, keyring *CredentialKeyring, disableSessions bool) (aws.CredentialsProvider, error) {
 	t := tempCredsCreator{
-		Keyring:    keyring,
-		UseSession: useSession,
+		Keyring:         keyring,
+		DisableSessions: disableSessions,
 	}
 	return t.GetProviderForProfile(config)
 }