mmmorris1975
commented
7 years ago can you share the aiprimary and whatever config section the source_profile attribute references, from you .aws/config file?
Closed Danno040 closed 6 years ago
mmmorris1975
commented
7 years ago can you share the aiprimary and whatever config section the source_profile attribute references, from you .aws/config file?
Danno040
commented
7 years ago It looks like this:
[default]
output = json
region = us-east-1
[profile aiprimary]
role_arn = arn:aws:iam::XXXXXXXXXXXX:user:role/managed-role/XXXXXXXXXXXX:user-PearsonCloudEngineers
source_profile = default
mfa_serial = arn:aws:iam::XXXXXXXXXXXX:user:mfa/mike.feineman@pearson.com Thankfully we work together, so I have access to these AWS account :)
The role ARN in that aiprimary profile looks like it should be:
arn:aws:iam::XXXXXX:role/managed-role/XXXXXX-PearsonCloudEngineers
See what aws-runas -l gives you as the list of role ARNs you can assume.
Danno040
commented
7 years ago Sorry, the role is arn:aws:iam::XXXXXX:role/managed-role/XXXXXX-PearsonCloudEngineers, there was a copy and paste error with my XXXes.
Like I said, this profile works with the AWS cli.
mmmorris1975
commented
7 years ago Guessing that this is related to the GetSessionToken call that aws-runas does, and your IAM permissions may not allow that. awscli will work because it doesn't call GetSessionToken, but calls AssumeRole directly (which your IAM account has authority for).
Going to add a section to aws-runas README to enumerate the permissions required.
I'll leave this issue open until we can confirm or deny that modifying your IAM account's permissions resolves this
Danno040
commented
6 years ago Just realized I left this open. It was definitely related to IAM account permissions.
I'm getting the following error when running 0.1.0:
However, the profile works fine with the AWS cli: