Leverage Session Tokens before calling AssumeRole

[mmmorris1975]

The way the authentication workflow works now (for aws-runas, as well as using --profile for the awscli) is that the profile name is passed in during session creation, which triggers all sorts of internal SDK logic about which "base" credentials to use, as well as the MFA token info for the AssumeRole call. That's all well and good, it hides some of the complexities of config file parsing in our program, with the side-effect that we have to redo the MFA steps after the AssumeRole creds expire (max 1 hour)

Some testing with awscli seems to indicate that you can call GetSessionToken, supplying the necessary MFA credentials, and the returned set of credentials (which can last up to 36 hours!) can be used to call AssumeRole, and handle any MFA token requirements for the AssumeRole call.

I would envision the change for this program being that the "profile" command line arg no longer uses that directly as part of the session object setup, but looks up the profile in the .aws/config file for the source_profile and role_arn values. From there, it would look up the mfa_serial in the given source_profile section to call GetSessionToken with the required MFA parameters (the mfa_serial property in the AssumeRole profiles is no longer necessary). Then call AssumeRole to run the provided command using the AssumeRole creds, or print the AssumeRole creds as env vars. (The caveat being that the AssumeRole creds are still only valid for a max of 1 hour, but can be refreshed using the SessionToken credentials without needing to re-enter MFA token)