Ability to assume a second/final role when using AWS Identify Center

[danwashusen]

We'd like to be able to assume a second role in a organisation target account, after aws-vault assumes credentials for the SSO user.

AWS recently added the concept of 'managed policies' which addresses a bunch of annoyances with managing permissions in Identify Center (https://aws.amazon.com/blogs/security/how-to-use-customer-managed-policies-in-aws-single-sign-on-for-advanced-use-cases/).

Background

Assuming the following config:

[profile Administrator-123456789012]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator

When I invoke aws-vault I end up with the very annoyingly named caller identify, something like:

$ aws-vault exec Administrator-123456789012 -- aws sts get-caller-identity
arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_Administrator_4984729384579234759/userid

With those credentials I'm able to assume another role in the target account:

$ aws-vault exec Administrator-123456789012 -- aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/some-other-role" --role-session-name testing

Requested Feature

We'd like the ability do this in one step with aws-vault. For example, using the following config (which doesn't work):

[profile Administrator-123456789012-some-other-role]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator
role_arn = "arn:aws:iam::123456789012:role/some-other-role" # <-- second/final role to assume after SSO login

[danwashusen]

Ignore that, I missed the obvious:

[profile Administrator-123456789012]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=Administrator

[profile Administrator-123456789012-some-other-role]
source_profile = Administrator-123456789012
role_arn = "arn:aws:iam::123456789012:role/some-other-role"