I'm trying to generate aws credentials using aws sts assume-role-with-saml
from this documentation
However I'm getting errors and I don't really understand, the flow. Normally I've a main account ACCOUNT_A where she SAML_PROVIDER resides and from which I switch role to the account ACCOUNT_B. So from my understand the syntax should look like :
aws sts assume-role-with-saml --role-arn arn:aws:iam::ACCOUNT_B:role/IAM_ROLE --principal-arn arn:aws:iam::ACCOUNT_A:saml-provider/SAML_PROVIDER --saml-assertion BASE64_ENCODED_RESPONSE
But when I try the above way I get the error :
An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: Principal exists outside the account of the Role being assumed
Then if try this way :
aws sts assume-role-with-saml --role-arn arn:aws:iam::ACCOUNT_B:role/IAM_ROLE --principal-arn arn:aws:iam::ACCOUNT_B:saml-provider/SAML_PROVIDER --saml-assertion BASE64_ENCODED_RESPONSE
I get error:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: 3565c77a-44b6-11e9-a384-b1f45948a767)
I think the documentation is not clear on the functional aspect, and there is not really clear example on google... So my questions are:
- what account numbers should I use at these two place in the syntax?
- Do I need to create a SAML IDP in the ACCOUNT_B account?