Can't switch AWS profile CLI but can do in the Console

Question

I'm trying to run AWS CLI commands using a different profile:

.aws$ cat config 
[default]
region = us-east-1
output = json

[profile secondaccount]
role_arn = arn:aws:iam::<SECOND_ACCOUNT_ID>:role/admin
source_profile = default

.aws$ cat credentials 
[default]
aws_access_key_id = ID
aws_secret_access_key = KEY

The SECOND_ACCOUNT has admin role (access to all resources) that has Trust Relationship to allow any users from FIRST_ACCOUNT to assume it.

"Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<FIRST_ACCOUNT>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }

My account on the FIRST_ACCOUNT also has policy to assume role:

"Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]

• I can switch role using the console.
• I have tried to attach policies directly to my username on the FIRST_ACCOUNT to have sts:assumeRole.
• I've tried to attach my user ARN from the FIRST_ACCOUNT to the Trust Relationship of the admin role of the SECOND_ACCOUNT.
• There's no explicit DENY attached to my username.
• I've tried adding the admin role of the SECOND_ACCOUNT to both my .aws/config and .aws/credentials.

However, I can't switch to another profile using the CLI:

$ aws s3 ls --profile secondaccount

An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

I've tried what suggested here, here, here, and here

Answer 1

So I've found the solution from an AWS post.

The issue:

In the Trust Relationships of the SECOND_ACCOUNT admin, there's the condition:

"Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }

that means it requires token from MFA to execute CLI commands.

So I did:

$ aws sts get-session-token --serial-number MFA_NUM --token-code CODE_FROM_MFA
{
    "Credentials": {
        "AccessKeyId": ID,
        "SecretAccessKey": KEY,
        "SessionToken": TOKEN,
        "Expiration": "2019-07-12T01:14:07Z"
    }
}

Then I added to the .aws/credentials:

[mfa]
aws_access_key_id = ID_FROM_ABOVE
aws_secret_access_key = KEY_FROM_ABOVE
aws_session_token = TOKEN_FROM_ABOVE

Then edited the .aws/config:

[mfa]
output = json
region = us-east-1

[profile secondaccount]
role_arn = arn:aws:iam::<SECOND_ACCOUNT_ID>:role/admin
source_profile = mfa

Then I was able to run CLI commands with --profile secondaccount.

If you choose to do this way which is AWS best practice, AWS recommends that having a script to automate the process of getting new token.

If you're "lazy", remove the condition in the Trust Relationship.

Answer 2

In order for secondaccount to assume the admin role, it must use the credentials from your default profile. In the provided example your default profile doesn't have access keys defined, hence it can't magically assume role in the secondaccount. For instance

[default]
region = us-east-1
aws_access_key_id=AKIAJQZVTAZXBSTXXXX
aws_secret_access=MYSECRERACCESS
output = json

[profile secondaccount]
role_arn = arn:aws:iam::<SECOND_ACCOUNT_ID>:role/admin
source_profile = default

It works for you in the console, because you're using username+password combination login before assuming target role, whereas for CLI you suppose to provide access key + secret key to do that