Cross Account Role Assumption

1

Does localstack support a user in one account assuming a role in another account?

Current I have setup a user in account 000000000000 with the following policy:

{
    "UserName": "iam-view-userprofile-rhkps",
    "PolicyName": "iam-user-view-policy",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Resource": "arn:aws:iam::000000000002:role/iam-userprofile-admin-*"
            }
        ]
    }
}

but when I try to assume a role in another account 000000000002 with:
aws --endpoint-url=http://localhost:20015 sts assume-role --role-arn arn:aws:iam:000000000002:role/iam-userprofile-admin-711c1p --role-session-name testsession1

I end up with the following response of an assumedRoleUser still in my original account.

{
    "Credentials": {
        "AccessKeyId": "LSIAQAAAAAAAHZSHQYVH",
        "SecretAccessKey": "l+k1bxUajfBtRdcTbXh/+0JQ0TebbVBIfgHOQoQU",
        "SessionToken": "FQoGZXIvYXdzEBYaD7JCHNqpQS8ENS+Ly0AAq7+ayVP0bZ/2APNZPeNA3xF66i8OE+kasBwm+z8gAa1ACchxrtDsKBiQPe0UNz04G7NaKssyZH9Ro64JfjUZ3HYCu9fWYGEF/7Sa7jWhPrrIqbr6TNf0BnUuyBO0KfegZ2kQJZAjXE6+Q0+a+zCjQcPP0GBMPQ35wpCFK+uLKpeJxX3XSrLtMM27HFfeFBbBtxfFIXm1ZXAJrgscETC5+6ixABJhrrGs0laNSQLYHNCjakE30MSELaZstE1Dw1ccHyKUzDgkZ96IB7EBfzHDm3ZRasWW3NWbf1DS0JprTfkXnRG1MEIlqM5n1WmW8KY=",
        "Expiration": "2024-05-16T19:34:59.549000+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROA3X42LBCD9JL54T066:testsession1",
        "Arn": "arn:aws:sts::000000000000:assumed-role/iam-userprofile-admin-711c1p/testsession1"
    },
    "PackedPolicySize": 6
}

Any idea whats going on here?

2

also for reference here is the role that I am attempting to assume in account 2:

C:\dev> aws --endpoint-url=http://localhost:20015 iam list-roles
{
    "Roles": [
        {
            "Path": "/",
            "RoleName": "iam-userprofile-admin-711c1p",
            "RoleId": "AROAQAAAAAABIET7BXXYC",
            "Arn": "arn:aws:iam::000000000002:role/iam-userprofile-admin-711c1p",
            "CreateDate": "2024-05-16T18:32:58.234137+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::000000000002:user/iam-admin-userprofile-*",
                                "arn:aws:iam::000000000000:user/iam-view-userprofile-*"
                            ]
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        }
    ]
}
3

Hi @johnhausle !
I cannot reproduce this issue on the latest LocalStack version. Here is a short reproduction script I used, could you try it? I did not use any IAM policies here, so please do not enable ENFORCE_IAM=1 if using pro.

#!/bin/bash
set -euxo pipefail

AWS_ACCESS_KEY_ID=000000000002 AWS_SECRET_ACCESS_KEY=test awslocal iam create-role --role-name test-role-acc2 --assume-role-policy-document "{}"
AWS_ACCESS_KEY_ID=000000000000 AWS_SECRET_ACCESS_KEY=test awslocal iam create-user --user-name test-user-acc0

credentials=$(AWS_ACCESS_KEY_ID=000000000000 AWS_SECRET_ACCESS_KEY=test awslocal iam create-access-key --user-name test-user-acc0)
export AWS_ACCESS_KEY_ID=$(jq -r .AccessKey.AccessKeyId <<< $credentials)
export AWS_SECRET_ACCESS_KEY=$(jq -r .AccessKey.SecretAccessKey <<< $credentials)

awslocal sts get-caller-identity
awslocal sts assume-role --role-arn arn:aws:iam::000000000002:role/test-role-acc2 --role-session-name test-session

Also, please make sure you using the latest image versions.