diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..b7276df
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,5 @@
+{
+  "MFA_IDENTIFIER": "ARN",
+  "S3_ROLE": "ARN",
+  "SESSION_TYPE": ""
+}
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index e1856fd..7351a59 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,11 @@ __pycache__/
 *.py[cod]
 # Local config / secrets
 .env
+.env.json
 config.yaml
 secrets.json
 # Editor & OS files
 *.swp
 .DS_Store
+
+assume-role-output.txt
\ No newline at end of file
diff --git a/lab-3/LAB-REPORT.md b/lab-3/LAB-REPORT.md
index c0d835a..f317c75 100644
--- a/lab-3/LAB-REPORT.md
+++ b/lab-3/LAB-REPORT.md
@@ -42,6 +42,7 @@
     * MFA did not work out of the box after setting it in the s3 bucket policy. 
       The ways I found you can configure MFA:
       * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
+      * [official guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html)
       * via cli roles
       * configuration via ~/.aws/credentials
       * 1Password CLI with AWS Plugin
@@ -53,8 +54,6 @@
         * I've seen a lot more recommendations (TBH it's more like 2 vs 0)
           for 1password for password credential setup. Wonder why?
       * other apps that handle this
-        * I did not look into this because I didn't want to install
-          yet another specialized CLI that I didn't understand
   - [ ] VPC
 
 - [ ] **Host a static site**
@@ -100,14 +99,9 @@ graph LR
   IAMPolicy -- attaches to --> IAMIdentity
   ExplainIAMIdentity[users, groups of users, roles, AWS resources]:::aside
   ExplainIAMIdentity -.-> IAMIdentity
-  
-  classDef aside fill:#fffbe6,stroke:#bbb,stroke-dasharray: 5 5,stroke-width:2px;
+classDef aside stroke-dasharray: 5 5, stroke-width:2px;
 ```
 
-## Problems encountered
-
-    more carefully. Note to self: always double check.
-
 ## End lab
 - [ ] On June 20, 2025, do the following:
   - [ ] Clean up
diff --git a/mise.toml b/mise.toml
index 4cc0b68..1edf5d8 100644
--- a/mise.toml
+++ b/mise.toml
@@ -1,5 +1,22 @@
+[tools]
+aws-cli = 'latest'
+bitwarden = 'latest'
+jq = 'latest'
+bw = 'latest'
+
+[env]
+_.file = '.env.json'
+BLAH = "{{ exec(command=\"bw get item $BW_AWS_ACCOUNT_SECRET_ID\") }}"
+
 [tasks.ssh]
 run = "ssh -p 5679 vboxuser@127.0.0.1"
 
 [tasks.generate]
-run = "./utilities/pdf_make/labs.sh"
\ No newline at end of file
+run = "./utilities/pdf_make/labs.sh"
+
+[tasks.setup-aws]
+run = """
+export SECRETS_OBJECT=$(bw get item $BW_AWS_ACCOUNT_SECRET_ID)
+export AWS_ACCESS_KEY_ID=$(echo "$SECRETS_OBJECT" | jq -r '.fields[0].value')
+export AWS_SECRET_ACCESS_KEY=$(echo "$SECRETS_OBJECT" | jq '.fields[1].value')
+"""
\ No newline at end of file