It sounds like there may be extra configuration in the CLI needed. I will post an example of where I have a similar configuration. Could I confirm a couple things. The sign in to Account 1 is done with IAM credentials that are configured in your CLI profile (profile1), and an mfa device is configured? Here is what I would use as a comparison
[profile profile1]
aws_access_key_id=xxxxxxxxxx
aws_secret_access_key=xxxxxxxxx
[profile profile2]
source_profile=profile1
role_arn=arn:aws:iam::<Account2 ID>:role/<assumed role name>
mfa_serial = arn:aws:iam::<Account1 ID>:mfa/<mfa device name>
This removes the need to try aws sts assume-role, and just use --profile profile2 when running CLI commands across the assumed role into Account2. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
Another option may be using the aws sts get-session-token process described here https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/ which will get temporary credentials that can be used as environment variables.
Hi, thanks for the input.
Yes, the sign in is with IAM credentials, with an MFA device configured.
In the "IAM Account" (account 1) I have a policy like this, which is connected to my user:
{
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
},
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::<account-2>:role/<rolename>"
],
"Effect": "Allow"
}
In the role in account 2, there is a trust configured like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-1>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
My ~/.aws/credentials contains data like this:
[default]
aws_access_key_id = <My IAM user's access key id>
aws_secret_access_key = <My IAM user's secred access key>
[profile-name]
role_arn = arn:aws:iam::<account-2>:role/<rolename>
source_profile = default
mfa_serial = arn:aws:iam::<account-1>:mfa/<My IAM user name>
I do have a named profile configured, which works as expected (I can for instance do aws s3 ls --profile profile-name to list S3 buckets in account 2). When I run aws sts assume-role I get the MFA prompt, but then the error.
I need to perform the aws sts assume-role command to harvest parts of the output, which is needed for another (non-AWS) tool. Also, the script will not always run in a context where there is a CLI configuration with named profiles. I am mostly curious about how I can get the error, when there are clearly policies at play that explicitly grant me that particular permission (which in my opinion is proven by the functioning aws s3 ls command, and my ability to assume the role in the web console). I just assume that I am missing something obvious here :-)
Hi, so after some verification I believe there's some extra parameters we have to add to the CLI command. The assume role command at the CLI should be in this format
aws sts assume-role --role-arn <role arn in Account2> --role-session-name <reference name for session> --serial-number <mfa virtual device arn> --token-code <one time code from mfa device>
This should output the json blob with temporary role credentials. This doesn't use that second profile, but is required to be able to retrieve the credentials.
Relevant questions
aws sts assume-role gives AccessDenied
asked 7 months agoHow can I use the same domain name in different AWS accounts?
asked 3 years agoHow do I create a role for AWS Batch using the CLI
asked 5 months agoCan I get API Keys for a Service Role?
asked 9 months agoWhich role do I have to use for the Fargate tasks on AWS Batch?
Accepted Answerasked 9 months agoHow do I sign into re:Post using AWS SSO?
Accepted Answerasked 10 months agoI don't have access to quicksight
asked 18 days agoVerify permissions for the IAM role
asked 6 months agoGreenGrass is not authorized to assume the Service Role
Accepted Answerasked 3 years agoIs it possible to assign MFA for AWS IAM role?
asked 8 months ago