Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Partial credentials found in assume-role, missing: source_profile or credential_source

0

I have configured the IAM user and IAM role within the same AWS account to setup AWS CLI for my team. When i try to use these credentials to run some command, i get the above error in CLI. What should i be doing?

I have given the IAM role trust policy to assume role for anyone in the same AWS account. I have added policy for the IAM user to assume the above IAM role.

~/.aws/credentials 

[regionsadmin]
aws_access_key_id = ******
aws_secret_access_key = ******

~.aws/config
[profile regionsadmin]
region = us-east-1
output = json
source_profile = regionsadmin

[default]
role_arn = arn:aws:iam::****:role/regionsclirole
Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterAWS Command Line Interface
Language
English
asked 3 years ago10.2K views
1 Answer
3
Accepted Answer

If you refer AWS CLI Configuration Variables documentation, take a look at section Using AWS IAM Roles.

I'm not sure why you'd setup CLI to assume role in same account. Refer re:Post Knowledge Center Article for same account IAM Assume Role CLI.

For cross account setup, your entry should look like as below:

  # In ~/.aws/credentials:
  [regionsadmin]
  aws_access_key_id = ******
  aws_secret_access_key = ******

  # In ~/.aws/config
  [profile crossaccount]
  region = us-east-1
  output = json
  source_profile = regionsadmin
  role_arn=arn:aws:iam::****:role/regionsclirole

For same account setup, your entry should look like as below:

  # In ~/.aws/credentials:
  [regionsadmin]
  aws_access_key_id = ******
  aws_secret_access_key = ******

  # In ~/.aws/config
  [profile crossaccount]
  region = us-east-1
  output = json
  source_profile = regionsadmin
  role_arn=arn:aws:iam::****:role/regionsclirole

Edit:

I just tested this in house and it works absolutely fine as expected even within same account. User for which I saved credentials, had only sts assume role permissions where as the role which it assumed had getsecretvalue permissions. Attaching snapshot for your reference:

Enter image description here

Hope you find this useful.

Comment here if you have additional questions, happy to help.

Abhishek

AWS
EXPERT
answered 3 years ago
AWS
EXPERT
reviewed 3 years ago
  • AWS-User-8833355
    3 years ago

    Now I'm getting a new error

    Unable to locate credentials. You can configure credentials by running "aws configure".
  • secondabhi_aws EXPERT
    3 years ago

    I'm curious, why do you need to setup CLI this way as this setup is more suited for cross account. Doesn't sts:assumerole fit more into your requirement as described here.

  • secondabhi_aws EXPERT
    3 years ago

    I just tested this in house for same account setup as well, and it worked fine. User for which I saved credentials in credentials file, had only sts assume role permissions where as the role which it assumed had getsecretvalue permissions. I'd suggest you to take a look at your configuration once more and see if you find something incorrect. May be you can paste your config and credentials entry again after masking account and credentials info. I can take another look at your files.

  • AWS-User-8833355
    3 years ago

    Yes, I had followed the same procedure using a different AWS doc. The one you have provided is better. I was able to run the AWS command. Thank you

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content