phancox
commented
3 years ago The maximum possible expiry time when an IAM role assumes another role is one hour. So even if it was possible, the credentials would only be valid for one hour.
Closed sveniu closed 3 years ago
phancox
commented
3 years ago The maximum possible expiry time when an IAM role assumes another role is one hour. So even if it was possible, the credentials would only be valid for one hour.
tilfin
commented
3 years ago AWS MC should not support multi-stage switching.
AESR only emulates the behavior of link clicking in the AWS MC, so it can't achieve functionality beyond the original.
sveniu
commented
3 years ago Okay, thanks for clarifying. I guess another approach is to allow an assumed role's account to work as a base account, for further assume operations.
Here's what I mean in detail:
# This is the base account that I log into with my IAM user.
[base-account-for-iam-user-login]
aws_account_id = 11111111
# This is a role that I assume from the base account. This role
# is allowed to assume other roles in other accounts.
[Administrator@account-audit]
source_profile = base-account-for-iam-user-login
aws_account_id = 22222222
role_name = Administrator
# This is a kind of place-holder base account to match the
# Administrator@account-audit defined above.
[base-account-audit]
aws_account_id = 22222222
# This role can be assumed only after I have assumed the
# Administrator@account-audit role.
[Auditor@other-account]
role_name = Auditor
aws_account_id = 33333333
source_profile = base-account-auditI'll see if I can find a way of doing this in the source code.
I might be missing something, but is a double assume supported? That is, starting with a base account A, you assume into a role in account B, and that role has the ability to assume into another role in account C.
If it is currently not supported, is it something that could fairly easily be added? If yes, where in the code would this happen? I'd be happy to attempt a PR.