Double jump assume


So I’m trying to build an account vending machine for AWS using terraform.

The issue im having is, when creating a new account using AWS organizations there is a role created which trusts root account.

How would you give Terraform access to that role which trusts root account when the user for Terraform is on a Bastion account and not the root account where AWS Organizations is. (would be nice to just double jump using assume role, assume an assumable role)


I’m wondering if AWS SSO could get you out-of-the double assume-role requirement.