AWS: Assume role from assumed role

amichalik · October 1, 2021, 11:21pm

Let’s say I have some credentials profile “foo” set up in my ~/.aws/credentials. That account can assume role “arn::bar”. In turn, when you assume role “arn::bar”, you can then assume role “arn::baz”. However, account “foo” cannot directly assume role “arn::baz”. How can I configure Terraform aws provider to assume role “arn::baz”? If I do

provider "aws" {
  alias   = "baz"
  profile = "foo"
  assume_role {
    role_arn = "arn::baz"
  }

it will try to assume role “arn::baz” straight using credentials from profile foo, without assuming role “arn::bar” first, and so it will fail.

evilensky · December 30, 2021, 8:53pm

Are you using the terraform CLI or terraform cloud? I have a little wrapper script that does assumeRole chaining like you described and exports Short Term Credentials as bash variables prepended to terraform command.

amichalik · January 3, 2022, 6:52pm

Thanks for suggestion. I used to do that similarly, but it doesn’t work when you need to access multiple different AWS roles/accounts in a single Terraform run: Terraform then only uses credentials from the ENV variables, and completely ignores the credentials specified for different AWS config profiles.

Topic		Replies	Views
Aws provider can't assume role but AWS CLI can AWS	4	4587	April 7, 2023
Facing IAM assume role issue AWS	1	1151	March 7, 2022
How to assume role and not use access keys? Terraform Providers	1	562	February 15, 2022
Assuming Multiple roles AWS	2	328	March 31, 2021
Tf aws provider cannot assume role Terraform	0	334	August 2, 2020

AWS: Assume role from assumed role

Related topics