Roles missing iam:ListAccountAliases causing conflict in profile names #250
Labels
future
address sometime in the future (possibly, not a promise)
inconsistent behavior
illustrates inconsistent / anti-intuitive behavior
Comments
monde
added
future
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using '--all-profiles' flag to automatically write all account/role combinations into the credentials file, there is a conflict issue when 2 account have the same role name and those roles don't have the permission 'iam:ListAccountAliases'.
Example:
Assuming Role2 is missing 'iam:ListAccountAliases', the code
webssoauth.go
will write down the profile as
org-Role2
org-Role2
So the credential file will only have the last account it processed and saved under "org-Role2", missing the creds for one of the accounts.
I would suggest that instead of using the "org" prefix to consider using the account number as the prefix.
Eg:
123-Role2
234-Role2
This way both creds will exist instead of getting overwritten.
The text was updated successfully, but these errors were encountered: