在 python 中使用 boto3 多次承担 IAM 角色

Question

I'm new to working with aws and I'm not sure if I'm wording it correctly but basically, I need to sso in an account -> assume a role in account A -> then assume a role in account B. I am following this article ( https://medium.com/geekculture/programming-aws-iam-using-aws-python-sdk-boto3-part-4-62f2f1c21584 ) on how to assume the role. After I assume the first role in account A, I get the "iam_client" (from the article), then I don't know how can I assume the second role from account B.

import boto3

from botocore.exceptions import ClientError

def lambda_handler(event, context):

sts_client = boto3.client('sts')

try:
    response = sts_client.assume_role(
        RoleArn='arn:aws:iam::<TRUSTING_ACCOUNT_ID>:role/<ROLE_NAME_IN_TRUSTING_ACCOUNT>',
        RoleSessionName='assume_role_session'
    )
except ClientError as error:
    print('Unexpected error occurred... could not assume role', error)
    return error

try:
    iam_client = boto3.client('iam',
                              aws_access_key_id=response['Credentials']['AccessKeyId'],
                              aws_secret_access_key=response['Credentials']['SecretAccessKey'],
                              aws_session_token=response['Credentials']['SessionToken']
                              )
except ClientError as error:
    print('Unexpected error occurred... could not create iam client on trusting account', error)
    return error

EDIT: my aws accounts are setup in a way that I can't assume the role in account B right after sso login. The trust relationship is setup in a way that it only allows a role in account A to assume it.

Answer 1

Check the AWS Official Code Library that contains this use case. When looking for an AWS code example, check this New AWS Doc.

As you can see, the code library shows this use case in different supported programming langanges. The topic is here:

Create an IAM user and assume a role with AWS STS using an AWS SDK

You can assume roles by following the Python example.