QUESTION - Logging through Granted using a centralised account

[EloyTolosaDev]

Hi.
I'm kind of new in my company, couple months, and they showed me the granted utility to easier managed aws access.
I had a lot of problems to configure granted and get it working, problems that I assume are due to lack of understanding of how
granted works internally.

What they told me is that we have a central role, let's call it X, that has access to a couple of roles in ALL ACCOUNTS across our organization, so that when we use granted, we first log into the central role, which then logs into the desired account.
But, when they tried configuring granted in my computer, we ran into several "Unauthorized" errors because I did not have access to the role.

My question is: is there really a way to use a "central IAM role" which then logs into whatever role you want to, using granted? This means a simple flow like this:

assume -c A --> logs into B --> logs into A

Because I think my company is a bit confused about the working of it and we want to have everything well configured.

Thanks a lot, I know this is not a real issue but I did not know where to put my questions.
Kind regards,

[chrnorm]

Hey @EloyTolosaDev, yes this is certainly possible with Granted.

To achieve this, you can set your AWS config file up as follows:

# ~/.aws/config
[profile login]
mfa_serial = arn:aws:iam::123456789012:mfa/user

[profile prod]
source_profile = login
role_arn = arn:aws:iam::123456789012:role/prod

# ~/.aws/credentials
[login]
aws_access_key_id=ASIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Run granted credentials import login (docs here) to store the access and secret key securely within Granted.

[EloyTolosaDev]

Thanks @chrnorm , I will share this with my colleages to see if we can improve permission management while we use granted.
Thanks, thanks a lot!