Andrej Burger

> The problem, as you stated in the issue, is that you are not using the role parameter correctly. When you set it up, ESO will try to AssumeRole before...

> You can attach a role to the pod using [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), [kiam](https://github.com/uswitch/kiam) or [kube2iam](https://github.com/jtblin/kube2iam). When no other authentication method is configured in the Kind=Secretstore this role is used to make...

> So this goes back to a permission problem as to why ESO cannot get a STS token with that role. Because the role-assumed session token cannot create another session...

Thank you for looking into this @gusfcarvalho! Much appreciated... Unfortunately the `role` parameter is unusable with the current implementation IMHO. And as there exists such a parameter in the generator,...

> As I said, its not like we do an API call and the new credential is bound to the role - this is just client sided config (at least...

> Actually, [@Dietatko](https://github.com/Dietatko) are you aware that GetSessionToken _cannot_ be called with temporary credentials but only and access key + and id? ( GetSessionToken is what STSSessionToken is using to...

Another option would be to unify the "with role" and "without role" paths and simply always fetch a temporary token here: https://github.com/external-secrets/external-secrets/blob/307c0a8468967cd862a0cfd6eb14ca3c5e86c88e/pkg/provider/aws/auth/auth.go#L208C71-L209C3 Whether the token has role assumed or not,...