AWS: Assume role from assumed role

Let’s say I have some credentials profile “foo” set up in my ~/.aws/credentials. That account can assume role “arn::bar”. In turn, when you assume role “arn::bar”, you can then assume role “arn::baz”. However, account “foo” cannot directly assume role “arn::baz”. How can I configure Terraform aws provider to assume role “arn::baz”? If I do

provider "aws" {
  alias   = "baz"
  profile = "foo"
  assume_role {
    role_arn = "arn::baz"

it will try to assume role “arn::baz” straight using credentials from profile foo, without assuming role “arn::bar” first, and so it will fail.

Are you using the terraform CLI or terraform cloud? I have a little wrapper script that does assumeRole chaining like you described and exports Short Term Credentials as bash variables prepended to terraform command.

Thanks for suggestion. I used to do that similarly, but it doesn’t work when you need to access multiple different AWS roles/accounts in a single Terraform run: Terraform then only uses credentials from the ENV variables, and completely ignores the credentials specified for different AWS config profiles.