saml2aws exec not honouring command line login options when credential file has valid STS token

[chamila-c]

Please see console output below for steps to reproduce. Points to note:

• Login details redacted, but faithfully so as to still highlight the observed behaviour
• ~/.aws/credential file was present (but empty) before first invocation of exec
• second invocation of exec was done immediately after the first, so there was no chance of STS token expiry
• the requested role of first invocation of exec is AcmeRole1, while for the second invocation it's AcmeRole2
• both invocations of exec end up running as the same role, namely AcmeRole1

[centos@localhost ~]$ saml2aws -i KeyCloak --hostname="id.acme.com/auth/realms/acme/protocol/saml/clients/amazon-aws" --username="joe.bloggs" --password="${SAML2AWS_PASSWORD}" --role="arn:aws:iam::012345678910:role/AcmeRole1" --skip-prompt exec aws sts get-caller-identity

Authenticating as joe.bloggs to KeyCloak https://id.acme.com/auth/realms/acme/protocol/saml/clients/amazon-aws
Selected role: arn:aws:iam::012345678910:role/AcmeRole1
Requesting AWS credentials using SAML assertion
Logged in as: arn:aws:sts::012345678910:assumed-role/AcmeRole1/joe.bloggs
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2017-09-08 00:35:28 +1000 AEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).
Saving config: /home/centos/.aws2saml.config

{
    "Account": "012345678910", 
    "UserId": "ABCDEF123456GHIJKLMN0:joe.bloggs", 
    "Arn": "arn:aws:sts::012345678910:assumed-role/AcmeRole1/joe.bloggs"
}

[centos@localhost ~]$ saml2aws -i KeyCloak --hostname="id.acme.com/auth/realms/acme/protocol/saml/clients/amazon-aws" --username="joe.bloggs" --password="${SAML2AWS_PASSWORD}" --role="arn:aws:iam::012345678910:role/AcmeRole2" --skip-prompt exec aws sts get-caller-identity

Running command as: arn:aws:sts::012345678910:assumed-role/AcmeRole1/joe.bloggs

{
    "Account": "012345678910", 
    "UserId": "ABCDEF123456GHIJKLMN0:joe.bloggs", 
    "Arn": "arn:aws:sts::012345678910:assumed-role/AcmeRole1/joe.bloggs"
}

Expected behaviour is that the second (and any) invocation of exec would run under the requested role in the command line options (i.e. AcmeRole2 in the case of the second invocation above)

[mapkon]

@chamila-c Are you still experiencing this issue?