If you are on a path of the one with the most accounts in their org wins you might have gotten tired running to the safe to fetch that key generating magismo, everytime you provision an account.

We decided that we didn't need the excercise, and fat & lazy is part of the BOFH role, so we hooked up a rather cute solution to the problem.

The main idea is to curl in HashiCorp Vault onto a t3.something-cheap and point its storage to an encrypted s3 bucket and stash those open-sesame! vault key bits in Secrets Manager.

Then you configure TOTP as a thing.

For everytime you hookup an account, once you've generated a password and signed into the account, add a virtual MFA device, and vault write its key into vault.

Whenever you need to login as root vault read the totp code.

We don't even keep the t3.something-cheap running, and don't care if it and its volume snuff's it, since the actual stash is in s3.

That way you can keep chair-butt disconnects to a bare minimum.