Unable to obtain credentials for a profile that requires a double role assumption

[iliapolo]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

When using a profile that requires 2 role assumption, sts.getCallerIdentity fails.

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-sts@3.632.0, @aws-sdk/credential-providers@3.632.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v18.20.4

Reproduction Steps

Consider the following ~/.aws/credentials file:

# ACCOUNT_A
[role0]
aws_access_key_id        = XXXX
aws_secret_access_key    = XXXX
aws_session_token        = XXXX

# ACCOUNT_B
[role1]
source_profile = role0
role_arn       = arn:aws:iam::ACCOUNT_B:role/TestIssue32195

# ACCOUNT_B
[role2]
source_profile = role1
role_arn       = arn:aws:iam::ACCOUNT_B:role/TestIssue32195-2

All cross account trust policies and IAM policies have been setup properly to allow:

• role0 can assume role1
• role0 can assume role2
• role1 can assume role2

Now run the following program:

import { STS } from '@aws-sdk/client-sts';
import { fromIni } from '@aws-sdk/credential-providers';

const creds = fromIni({ profile: 'role2' });

async function main() {
  const sts = new STS({ credentials: await creds() });
  await sts.getCallerIdentity();
}

void main();

Observed Behavior

AccessDenied: User: arn:aws:sts::ACCOUNT_B:assumed-role/TestIssue32195-2/aws-sdk-js-1732101456622 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNT_B:role/TestIssue32195-2

Expected Behavior

The call should succeed and return the ARN of role2.

Possible Solution

No response

Additional Information/Context

• Note that the error indicates that role2 is trying to assume itself. For some reason there seem to be an extra role assumption happening.
• Using the same configuration file, the following aws cli command works: aws sts get-caller-identity --profile role2 (tested both aws cli v1 and v2).
• This worked with the SDK v2.
• Originally reported here: CDK CLI: assuming a doubly-chained role fails since 2.167.0 aws-cdk#32195

[kuhe]

Please try v3.651.1 or higher.

[zshzbh]

I'm using the dependencies below and can't reproduce this issue:

{
  "dependencies": {
    "@aws-sdk/client-sts": "^3.696.0",
    "@aws-sdk/credential-providers": "^3.696.0"
  }
}

As @kuhe commented above, try v3.651.1 or higher, and let us know if the issue persists.

[iliapolo]

Will do thanks. Looks like I didn't dive deep enough through existing issues.

[iliapolo]

Tested with 3.696.0 and all works. Thank you!