aws-vault: Unable to perform IAM role chaining on 5.0.0

Here’s the working aws config I had in 4.x.x

[profile account-b]
source_profile=account-a
role_arn=arn:aws:iam::bbbbbbbbbbbb:role/admin

[profile account-a]
mfa_serial=arn:aws:iam::aaaaaaaaaaaaa:mfa/dynamike
role_arn=arn:aws:iam::aaaaaaaaaaaaa:role/admin

I realize there are breaking changes around switching to parent_profile to be able to pass the mfa_serial between profiles. So in 0.5.0 I switched to

[profile account-b]
parent_profile=account-a
role_arn=arn:aws:iam::bbbbbbbbbbbb:role/admin

[profile account-a]
mfa_serial=arn:aws:iam::aaaaaaaaaaaaa:mfa/dynamike
role_arn=arn:aws:iam::aaaaaaaaaaaaa:role/admin

I can access account-a just fine, but trying to access account-b I get

AccessDenied: User: arn:aws:iam::aaaaaaaaaaaaa:user/dynamike is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::bbbbbbbbbbbb:role/admin

My setup is currently configured to do IAM role chaining from account-a into account-b. Let me know if there are other details I can give to help.

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 2
Comments: 22 (10 by maintainers)

Most upvoted comments

My situation is slight different than @zfasel. I had one less profile definition in my configuration (which was essentially @zfasel’s primary and admin profile merged into one.

[profile admin]                                                                                                                                                     
mfa_serial=arn:aws:iam::<root account>:mfa/<user>
role_arn=arn:aws:iam::<root account>:role/admin

[profile subaccount]
source_profile=admin                                                                                                                                                
mfa_serial=arn:aws:iam::<root account>:mfa/dynamike
role_arn=arn:aws:iam::<sub account>:role/admin

The above results in the following error when running things after clearing all cached sessions running v5.1.0-rc1

aws-vault --debug exec subaccount -- aws sts get-caller-identity 
2020/01/02 13:02:35 [keyring] Considering backends: [keychain pass file]
2020/01/02 13:02:35 Loading config file /Users/dynamike/.aws/config
2020/01/02 13:02:35 Parsing config file /Users/dynamike/.aws/config
2020/01/02 13:02:35 [keyring] Querying keychain for service="aws-vault", keychain="login.keychain"
2020/01/02 13:02:35 [keyring] Found 2 results
2020/01/02 13:02:35 [keyring] Querying keychain for service="aws-vault", keychain="login.keychain"
2020/01/02 13:02:35 [keyring] Found 2 results
2020/01/02 13:02:35 profile admin: using stored credentials
2020/01/02 13:02:35 MFA already used in source credentials, ignoring MFA
2020/01/02 13:02:35 profile admin: using AssumeRole
2020/01/02 13:02:35 MFA already used in source credentials, ignoring MFA
2020/01/02 13:02:35 profile subaccount: using AssumeRole
2020/01/02 13:02:35 Looking up keyring for 'admin'
2020/01/02 13:02:35 [keyring] Querying keychain for service="aws-vault", account="admin", keychain="login.keychain"
2020/01/02 13:02:35 [keyring] Found item "aws-vault (admin)"
aws-vault: error: exec: Failed to get credentials for subaccount: AccessDenied: User: arn:aws:iam::<root account>:user/dynamike is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<root account>:role/admin

dynamike on Jan 2, 2020