Skip to content

AssumeRole chains

Mimic fully supports profiles that chain via source_profile.

How it works

ini
[profile base-profile]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = MyRole
region = eu-west-1

[profile my-role]
role_arn = arn:aws:iam::444455556666:role/MyRole
source_profile = base-profile

When you click Login on my-role, Mimic:

  1. Walks the source_profile chain to find base-profile (the SSO root)
  2. Logs in through base-profile if needed
  3. Marks my-role as the active login

Chain resolution

Mimic resolves the chain by following source_profile references. It detects circular chains and stops at the first profile with sso_session or sso_start_url.

Inherited properties

  • Organization — AssumeRole profiles inherit org from their SSO root
  • Auth state — Expiry and active login propagate through the chain
  • Silent refresh — Detected on the SSO root, updates all profiles in the chain

Multiple hops

Chains of arbitrary length are supported, as long as they terminate at an SSO profile.