I landed on the originating Github issue trying to work through a similar problem. We use cross-account assume roles heavily in our CD environment, which is something the AWS provider handles well (including using provider aliases to be able to access multiple accounts’ resources from one module).
Digging through the code, it looks like the problem might be way down in awsutil.GenerateCredentialChain. The code there seems to assume the only AssumeRole method will be via IAM’s OIDC integration since the only call is via NewWebIdentityRoleProvider. (@jorhett , this is what the web_identity_token_file feeds into - the WebIdentityToken parameter of the underlying AWS API call, not what we need).
It looks like the solution is being able to add an AssumeRoleProvider to the credentials chain in that method with the role_arn from the KMS config HCL, but we’ve reached the limit of how much I understand Go (including how to hack on this library to test locally).