AWS SDK profile chaining example

This shows how to use the AWS SDK to automatically create SDK clients that use one role to assume another.

sequenceDiagram
    participant local_device as Local device
    participant originating_account as Originating account
    participant destination_account as Destination account

    local_device->>originating_account: Authenticate via OOB credentials
    local_device->>destination_account: Authenticte via originating account session
    local_device->>destination_account: Access resources via destination account session

Loading

Running the example

This requires Go and Terraform CLI tools to be pre-installed. Alternatively, you can use VSCode + dev containers to install these in an ephemeral, isolated environment. This also requires two separate AWS profiles to be configured, for use with deploying the cross-account example resources.

# Set these
export TF_VAR_originating_account_profile="originating-account-profile-name"
export TF_VAR_destination_account_profile="destination-account-profile-name"

# Resource setup
## Download the providers
terraform init
## Preview the changes prior to deploying
terraform plan
## Deploy the infra
terraform apply

# Run the tool
## This will report the originating account role
AWS_CONFIG_FILE=./terraform_created_profile go run .
## This will report the destination account role
AWS_CONFIG_FILE=./terraform_created_profile AWS_PROFILE=destination-account-profile go run .

## Resource teardown
terraform destroy

References:

• Cross-account profile configuration
• AWS env var reference
• Building an AWS client with the v2 Golang SDK
• Cross-account role setup