Mfa_code attribute doesn't work

I’m trying to use Packer with AssumeRoke configured with MFA.

  • PC: MacBook m2 Pro
  • OS: Sonoma 14.1.1
  • Packer version: 1.9.4

~/.aws/config

[profile base]
region = ap-northeast-1
output = json

[profile packer]
region = ap-northeast-1
output = json
role_arn = arn:aws:iam::999999999999:role/assumerole-admin
source_profile = base
mfa_serial = arn:aws:iam::999999999999:mfa/testuser
role_session_name = testuser
duration_seconds = 43200

~/.aws/credentials

[base]
aws_access_key_id=XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

It works fine with AWS CLI.

$ aws s3 ls --profile packer
Enter MFA code for arn:aws:iam::999999999999:mfa/testuser:
2023-05-08 11:09:56 aaaaaaaa
2023-04-27 17:48:31 bbbbbbbb
2022-08-09 15:20:57 cccccccc

How ever, an error occurs in packer, probably bacause the mfa_code attribute isn’t effective.

sample.json

{
  "variables": {
    "mfa_code": "000000"
  },
  "builders": [{
    "type": "amazon-ebs",
    "region": "ap-northeast-1",
    "source_ami": "ami-xxxxxxxx",
    "instance_type": "t2.small",
    "ssh_username": "ec2-user",
    "ami_name": "role-example",
    "mfa_code": "{{user `mfa_code`}}",
    "profile": "packer"
  }],
 "provisioners": [{
    "type": "shell",
    "inline": [
      "sudo yum -y update",
      "sudo yum -y install nginx"
    ]
  }]
}

command

$ packer build -var 'mfa_code=123456' sample.json
amazon-ebs: output will be in this color.

Build 'amazon-ebs' errored after 852 microseconds: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

==> Wait completed after 902 microseconds

==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

==> Builds finished but no artifacts were created.

This error occurs whether the mfa_code attribute is present or not, and whether the value of mfa_code is correct or incorrect.

How can I make the mfa_code attribute effective?