Get an AWS token for the role. Return 403 on an initial request if the AWS role has multi-factor authentication enabled. Subsequent request must contain MFA as a query parameter. Return 403 if the user does not have the role.
Click Try It! to start a request and see the response here!