Cross account role chaining for non-sso managed IAM roles... #1087
Labels
enhancement
New feature or request
Comments
wealdling
changed the title
|
You're missing lots of useful info. Please fill out the appropriate form: https://github.com/synfinatic/aws-sso-cli/issues/new?assignees=&labels=bug&projects=&template=bug_report.md&title= |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm not sure if I'm just not understanding the documentation, or if I am misreading the ability to do this. I have an IAM role with a trust relationship established to an SSO managed Role in a different account. I've tried accomplishing this with the "via" key, only defining the parent role in the other account, referencing the accountID:role as a value, referencing the accountFriendlyName:role as a value, all to no avail.
I've also tried to setup the prescribed .aws/config entry with source_profile pointing to the managed SSO Role, then running config-setup, with no success.
Given that it seems you're leveraging STS Assume Role recursively, I think this should be something that just works. Am I missing how to accomplish it/doing something wrong, or is this a valid feature request? I'd like to be able to run
aws-sso eval unmanagedProfileand have it login via the referenced SSO managed account, then assume the unmanaged role and provide exports as normal.The text was updated successfully, but these errors were encountered: