I have two roles configured in my IAM called "role1" and "role2" and a user called "foobar". The trust policy of "role2" is configured so that "role1" is granted the AssumeRole action, while "role1" can be assumed by the foobar user.
So the workflow to use role2 would be to login as user foobar, then assume role1 and from there assume role2.
I know that I can easily jump from role1 to role2 in the CLI by setting the source_profile value in the configuration file ~/.aws/config. But I have been unable to do the same thing in the management console (web interface). There is the "Switch Role" menu, but that only allows me to assume the role from the user not logged in, not from an already assumed role.
So my question is: How can I switch to "role2" in the scenario described above from the management console?
I think the transitive IAM Role switch from AWS Console is not allowed as per the documentation
Granting a user permissions to switch roles
When you switch roles in the AWS Management Console, the console always uses your original credentials to authorize the switch. This applies whether you sign in as an IAM user, as a SAML-federated role, or as a web-identity federated role. For example, if you switch to RoleA, it uses your original user or federated role credentials to determine if you are allowed to assume RoleA. If you then try to switch to RoleB while you are using RoleA, your original user or federated role credentials are used to authorize your attempt, not the credentials for RoleA.