Aws-sam-cli: sam local start-api --profile option doesn't work with assumed role

Out of curiosity, can you try your admin@other but set this environment variable: AWS_SDK_LOAD_CONFIG=true

If that works, this should be a relatively easy fix :)

I just tried but no luck.

I had the same issue as I was trying different profiles when using sam local invoke: Using Assume-Role tool is my workaround at the moment.

I ended up with:

eval $(assume-role demo)
sam local invoke...
sam local start-api

Hope that helps

Interesting.

So, here's my thought process so far:

Code where we initialize the session using options: https://github.com/awslabs/aws-sam-local/blob/develop/env.go#L128-L141
Godocs on session, search for: Shared Config Fields
https://docs.aws.amazon.com/sdk-for-go/api/aws/session/

If the AWS_SDK_LOAD_CONFIG environment variable is set, or SharedConfigEnable option is used to create the Session the full shared config values will be loaded. This includes credentials, region, and support for assume role. In addition the Session will load its configuration from both the shared config file (\~/.aws/config) and shared credentials file (~/.aws/credentials). Both files have the same format.

Maybe since we override with our own options, the value gets set to false by default and environment variables aren't even attempted?

Gonna fiddle with that assumption a bit more.

I tried exporting the env variable as @iph suggested (AWS_SDK_LOAD_CONFIG=true), and it worked with assume role for me.

Ok. I had an issue just using my default credentials and config as defined in ~/.aws/credentials and ~/.aws/config but exporting AWS_SDK_LOAD_CONFIG=true and restarting sam local resolved it. Now it is correctly picking up my user details.

Feel like this needs to be the default setting in already set in the CLI.

Just hit this as well with sam local invoke --profile $AWS_PROFILE func and export AWS_SDK_LOAD_CONFIG=true fixed it for me as well. Note that it had to be true, I first set it to yes and it didn't work.

+1 to the idea that if you use the --profile argument it should set that environment variable for you.

I revisited this and it is working for me with export AWS_SDK_LOAD_CONFIG=true and export AWS_PROFILE=admin@other.

I've hit this issue, as well, though slightly differently. I'm using the credential_process setting in my ~/.aws/config (see https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes).

Exporting AWS_PROFILE and/or AWS_SDK_LOAD_CONFIG doesn't work. Passing the --profile flag also doesn't work.

When using aws-cli, I only need to export AWS_PROFILE for the credential_process setting to work properly.

Can you try with latest SAM CLI? This is completely rewritten to use Boto3. This should work out-of-box. Do Re-open if it doesn't.

How to solve this issue in windows?