Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross account role chaining for non-sso managed IAM roles... #1087

Open
wealdling opened this issue Oct 24, 2024 · 3 comments
Open

Cross account role chaining for non-sso managed IAM roles... #1087

wealdling opened this issue Oct 24, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@wealdling
Copy link

wealdling commented Oct 24, 2024
edited
Loading

I'm not sure if I'm just not understanding the documentation, or if I am misreading the ability to do this. I have an IAM role with a trust relationship established to an SSO managed Role in a different account. I've tried accomplishing this with the "via" key, only defining the parent role in the other account, referencing the accountID:role as a value, referencing the accountFriendlyName:role as a value, all to no avail.

I've also tried to setup the prescribed .aws/config entry with source_profile pointing to the managed SSO Role, then running config-setup, with no success.

Given that it seems you're leveraging STS Assume Role recursively, I think this should be something that just works. Am I missing how to accomplish it/doing something wrong, or is this a valid feature request? I'd like to be able to run aws-sso eval unmanagedProfile and have it login via the referenced SSO managed account, then assume the unmanaged role and provide exports as normal.
@wealdling wealdling added the enhancement New feature or request label Oct 24, 2024
@wealdling wealdling changed the title Cross Account Role Chaining for non-sso managed IAM roles... Cross account role chaining for non-sso managed IAM roles... Oct 24, 2024
@synfinatic
Copy link
Owner

You're missing lots of useful info. Please fill out the appropriate form: https://github.com/synfinatic/aws-sso-cli/issues/new?assignees=&labels=bug&projects=&template=bug_report.md&title=

@timoguin
Copy link

timoguin commented Jan 8, 2025

I've done this in the past with aws-sso-cli but have been struggling with the appropriate config for the last few days.

For my use case, I'm wanting to utilize an SSO role in the AWS Organizations management account to assume the OrganizationsAccountAccessRole into every other account.

This is quite a simple thing, but I can't seem to figure out the proper configuration syntax for aws-sso-cli. The current examples in the documentation aren't sufficient enough for me to understand what I'm doing wrong.

I think some general role-chaining guidance for this use case would be super helpful. I've been having to dive into the code to figure out what I'm doing wrong.

@timoguin
Copy link

timoguin commented Jan 8, 2025
edited
Loading

BTW, here's a snippet of my configuration (I've tried a bunch of variants so far):

SSOConfig:
  Default:
    Accounts:
      # AWS Organizations mgmt account
      "123456789012":
        Name: root
        Roles:
          workload-another-account:
            Via: "arn:aws:iam::111111111111:role/OrganizationsAccountAccessRole"
          workload-another-account-2:
            Via: "arn:aws:iam::222222222222:role/OrganizationsAccountAccessRole"

I expected this to surface those roles with doing aws-sso list, but it doesn't. What is the right way to do this? I feel dum. 😆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timoguin @synfinatic @wealdling