From 58018b85c366b2d0739d131531b0d02b110e00e0 Mon Sep 17 00:00:00 2001
From: stekern <stekern@users.noreply.github.com>
Date: Fri, 21 Apr 2023 09:09:19 +0200
Subject: [PATCH] Describe how to use mfa_process with YubiKey

---
 USAGE.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/USAGE.md b/USAGE.md
index 8b55ba77c..4b81b0130 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -675,6 +675,17 @@ Using the `ykman` prompt driver, aws-vault will execute `ykman` to generate toke
 ```shell
 aws-vault exec --prompt ykman ${AWS_VAULT_PROFILE_USING_MFA} -- aws s3 ls
 ```
+
+An alternative to manually supplying the prompt driver as a CLI argument to `aws-vault` is setting the [`mfa_process`](#mfa_process) parameter in your `.aws/config` for the profiles that should use a YubiKey to generate tokens. Example:
+
+(Note: Remember to swap out the name of the OATH account used in `mfa_process` below with the name you gave it during [YubiKey setup](#setup))
+
+```ini
+[profile jon]
+mfa_serial = arn:aws:iam::123456789012:mfa/jonsmith
+mfa_process = ykman oath accounts code --single arn:aws:iam::123456789012:mfa/jonsmith
+```
+
 Further config:
  - `AWS_VAULT_PROMPT=ykman`: to avoid specifying `--prompt` each time
  - `YKMAN_OATH_CREDENTIAL_NAME`: to use an alternative ykman credential