Ability to assume a second/final role when using AWS Identify Center
danwashusen opened this issue · comments
We'd like to be able to assume a second role in a organisation target account, after aws-vault
assumes credentials for the SSO user.
AWS recently added the concept of 'managed policies' which addresses a bunch of annoyances with managing permissions in Identify Center (https://aws.amazon.com/blogs/security/how-to-use-customer-managed-policies-in-aws-single-sign-on-for-advanced-use-cases/).
Background
Assuming the following config:
[profile Administrator-123456789012]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator
When I invoke aws-vault
I end up with the very annoyingly named caller identify, something like:
$ aws-vault exec Administrator-123456789012 -- aws sts get-caller-identity
arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_Administrator_4984729384579234759/userid
With those credentials I'm able to assume another role in the target account:
$ aws-vault exec Administrator-123456789012 -- aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/some-other-role" --role-session-name testing
Requested Feature
We'd like the ability do this in one step with aws-vault
. For example, using the following config (which doesn't work):
[profile Administrator-123456789012-some-other-role]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator
role_arn = "arn:aws:iam::123456789012:role/some-other-role" # <-- second/final role to assume after SSO login
Ignore that, I missed the obvious:
[profile Administrator-123456789012]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator
[profile Administrator-123456789012-some-other-role]
source_profile = Administrator-123456789012
role_arn = "arn:aws:iam::123456789012:role/some-other-role"