Add error handling if neither TokenCode nor TokenProvider are set

aws/credentials/stscreds/assume_role_provider.go

@@ -174,18 +174,20 @@ func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error) {
 		if p.TokenCode != nil {
 			input.SerialNumber = p.SerialNumber
 			input.TokenCode = p.TokenCode
-		} else {
+		} else if p.TokenProvider != nil {
 			input.SerialNumber = p.SerialNumber
-			provider := p.TokenProvider
-			code, err := provider()
+			code, err := p.TokenProvider()
 			if err != nil {
 				return credentials.Value{ProviderName: ProviderName}, err
 			}
 			input.TokenCode = aws.String(code)
+		} else {
+			return credentials.Value{ProviderName: ProviderName},
+				fmt.Errorf("assume role with MFA enabled, but neither TokenCode nor TokenProvider are set.")
 		}
 	}
-	roleOutput, err := p.Client.AssumeRole(input)
 
+	roleOutput, err := p.Client.AssumeRole(input)
 	if err != nil {
 		return credentials.Value{ProviderName: ProviderName}, err
 	}

aws/credentials/stscreds/assume_role_provider_test.go

@@ -114,6 +114,26 @@ func TestAssumeRoleProvider_WithTokenProviderError(t *testing.T) {
 	assert.Empty(t, creds.SessionToken)
 }
 
+func TestAssumeRoleProvider_MFAWithNoToken(t *testing.T) {
+	stub := &stubSTS{
+		TestInput: func(in *sts.AssumeRoleInput) {
+			assert.Fail(t, "API request should not of been called")
+		},
+	}
+	p := &AssumeRoleProvider{
+		Client:       stub,
+		RoleARN:      "roleARN",
+		SerialNumber: aws.String("0123456789"),
+	}
+
+	creds, err := p.Retrieve()
+	assert.Error(t, err)
+
+	assert.Empty(t, creds.AccessKeyID)
+	assert.Empty(t, creds.SecretAccessKey)
+	assert.Empty(t, creds.SessionToken)
+}
+
 func BenchmarkAssumeRoleProvider(b *testing.B) {
 	stub := &stubSTS{}
 	p := &AssumeRoleProvider{