I'm trying to run AWS CLI commands using a different profile:
.aws$ cat config
[default]
region = us-east-1
output = json
[profile secondaccount]
role_arn = arn:aws:iam::<SECOND_ACCOUNT_ID>:role/admin
source_profile = default
.aws$ cat credentials
[default]
aws_access_key_id = ID
aws_secret_access_key = KEY
The SECOND_ACCOUNT
has admin role (access to all resources) that has Trust Relationship to allow any users from FIRST_ACCOUNT
to assume it.
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<FIRST_ACCOUNT>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
My account on the FIRST_ACCOUNT
also has policy to assume role:
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
- I can switch role using the console.
- I have tried to attach policies directly to my username on the
FIRST_ACCOUNT
to have sts:assumeRole. - I've tried to attach my user ARN from the
FIRST_ACCOUNT
to the Trust Relationship of theadmin
role of theSECOND_ACCOUNT
. - There's no explicit DENY attached to my username.
- I've tried adding the
admin
role of theSECOND_ACCOUNT
to both my.aws/config
and.aws/credentials
.
However, I can't switch to another profile using the CLI:
$ aws s3 ls --profile secondaccount
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied