Failed to assume role after logging in SSO

Question

The UI path works for me. So let me walk you through this first.

1. log in with SSO URL
2. Choose the account from SSO and AWS Console opens
3. Assume another role
4. Open s3 and it works

Now I tried to do the same thing with CLI

1. log in with SSO

2. Copy access_key, secret_key, session_token from SSO page

3. Run export for access_key, secret_key, session_token in CLI

4. Run aws s3 ls to test but didn't work (no problem)

5. Run aws sts assume-role but didn't work

   $ aws sts assume-role --role-arn "arn:aws:iam::123456789:role/SomeRole" --role-session-name AWSCLI-Session --region ap-southeast-2
   

=> An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789:assumed-role/AWSReservedSSO_some_role_assume_all_123abc/myid@some.domain is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/SomeRole

Answer 1

I have found the answer. For the second part in my question, step 1 and 2 are wrong.

First you need to run

aws configure sso

This will run some magic and set up a profile under ~/.aws/config

Then you need to run aws sts assume-role with the flag --profile and the value is the newly created profile.

Then it will work.