When using '--all-profiles' flag to automatically write all account/role combinations into the credentials file, there is a conflict issue when 2 account have the same role name and those roles don't have the permission 'iam:ListAccountAliases'.
Example:
Account1:
Role1
Role2
Account2:
Role1
Role2
Assuming Role2 is missing 'iam:ListAccountAliases', the code
webssoauth.go
will write down the profile as
org-Role2
org-Role2
So the credential file will only have the last account it processed and saved under "org-Role2", missing the creds for one of the accounts.
I would suggest that instead of using the "org" prefix to consider using the account number as the prefix.
Eg:
123-Role2
234-Role2
This way both creds will exist instead of getting overwritten.
When using '--all-profiles' flag to automatically write all account/role combinations into the credentials file, there is a conflict issue when 2 account have the same role name and those roles don't have the permission 'iam:ListAccountAliases'. Example:
Assuming Role2 is missing 'iam:ListAccountAliases', the code webssoauth.go will write down the profile as org-Role2 org-Role2 So the credential file will only have the last account it processed and saved under "org-Role2", missing the creds for one of the accounts.
I would suggest that instead of using the "org" prefix to consider using the account number as the prefix. Eg: 123-Role2 234-Role2 This way both creds will exist instead of getting overwritten.