How can I create profiles in the AWS CloudShell to access different roles?

Question

The new CloudShell service from AWS allows me to get a CLI session directly within the browser. In this session, I am acting under my currently active role:

$ aws sts get-caller-identity
{
    "UserId": "AROA2MDGRZUIRD434HHAF:johndoe",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/myrole/johndoe"
}

I can assume another role from myrole as expected:

$ aws sts assume-role --role-arn arn:aws:iam::123456789012:role/otherRole --role-session-name mySession123
{
    "Credentials": {
        "AccessKeyId": "ASIA...",
        "SecretAccessKey": "...",
        "SessionToken": "...",
        "Expiration": "2021-04-28T16:29:55+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROA...:mySession123",
        "Arn": "arn:aws:sts::123456789012:assumed-role/otherRole/mySession123"
    }
} 

Now I want to configure a CLI profile to use otherRole. I tried an entry like this:

[profile otherRole]
role_arn = arn:aws:iam::123456789012:role/otherRole

but this causes an error, because I have to specify either a credential_source or a source_profile.

From an EC2 instance with a service role I would set credential_source=Ec2InstanceMetadata but this doesn't work here. Setting source_profile to default also causes an error:

The source profile "default" must have credentials.

How can I create a CLI-profile within the AWS CloudShell to persistentely assume another role?

Answer 1

I found the answer to be documented here. CloudShell ist not using EC2 instances but is rather running in an ECS based container. Thus setting the credential_source to EcsContainer does the trick:

[profile otherRole]
credential_source=EcsContainer
role_arn=arn:aws:iam::123456789012:role/otherRole