1

I have 2 AWS accounts and have set up cross account authentication using IAM roles.

I have created a AWS CLI named profile for the second account, which uses a role_arn and specifies my default profile as the source_profile.

For my default profile, I keep my KEY and SECRET as environment variables, rather than as static strings in the ~/.aws/credentials file.

However, when I switch to the named profile, and query the API, I get the following error:

The source_profile "default" must specify either static credentials or an assume role configuration

Is there any way I can get a named profile to refer to my environment variable credentials rather than static credentials in ~/.aws/credentials?

Garreth McDaid
  • 3,449
  • 1
  • 27
  • 42

1 Answers1

5

Turns out this is pretty straightforward (it not very obvious in the documentation). Rather than use source_profile, you use credential_source:

[profile dev]
credential_source = Environment
role_arn = arn:aws:iam::<account_id>:role/Admin

Note: in this case the role "Admin" is an example. You need to update that to whatever cross account role you have created. Similarly, "dev" is an example profile in my configuration.

Source: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

Garreth McDaid
  • 3,449
  • 1
  • 27
  • 42
  • I can recommend using a tool like [limes](https://github.com/otm/limes) if you have multiple accounts and assume roles. It's a life saver. It basically emulates the instance metadata service locally, helping you auto refresh the keys for your assumed role. – Bazze May 06 '18 at 08:56