'AWS_PROFILE' AssumeRole fails when the credential source is Ec2InstanceMetadata

[pierswilliams]

Using Ec2InstanceMetadata as the credential_source for an AWS profile is handled incorrectly when said profile is referenced in SST commands. For example, running AWS_PROFILE=sandbox sst deploy --stage test, with the following profile in the ~/.aws/config:

[profile sandbox]
role_arn = arn:aws:iam.../SandboxAdmin
region = eu-west-2
credential_source = Ec2InstanceMetadata

will fail with the following:

Preparing your SST app
Deploying stacks
AccessDenied: User: arn:aws:sts::0...9:assumed-role/GitlabRunner/... is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:eu-west-2:... because no identity-based policy allows the cloudformation:DescribeStacks action

The above error indicates the assume role isn't being handled correctly given it still tries to use the GitlabRunner IAM role, not the sandbox profile, and this ~/.aws/config works as expected with the same IAM role in our other CICD pipelines.

[fwang]

Hey @pierswilliams, I put in a fix and cut a beta release 0.61.2-next.5. Can you give it a try and let me know if it works for you?

[asquithea]

I believe this works now (as of 1.2.11).

Piers is my colleague. We ended up needing a workaround originally (basically STS assume-role to get some more explicit credentials onto the box - and still needed for SLS and maybe plain CDK). However I had the opportunity to verify this for another project and it allows me to deploy using a profile and EC2InstanceMetadata as the default profile credential_source.