Assume role from aws cli with SAML

Question

I'm trying to generate aws credentials using aws sts assume-role-with-saml from this documentation

However I'm getting errors and I don't really understand, the flow. Normally I've a main account ACCOUNT_A where she SAML_PROVIDER resides and from which I switch role to the account ACCOUNT_B. So from my understand the syntax should look like :

aws sts assume-role-with-saml --role-arn arn:aws:iam::ACCOUNT_B:role/IAM_ROLE --principal-arn arn:aws:iam::ACCOUNT_A:saml-provider/SAML_PROVIDER --saml-assertion BASE64_ENCODED_RESPONSE

But when I try the above way I get the error :

An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: Principal exists outside the account of the Role being assumed

Then if try this way :

aws sts assume-role-with-saml --role-arn arn:aws:iam::ACCOUNT_B:role/IAM_ROLE --principal-arn arn:aws:iam::ACCOUNT_B:saml-provider/SAML_PROVIDER --saml-assertion BASE64_ENCODED_RESPONSE

I get error:

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: 3565c77a-44b6-11e9-a384-b1f45948a767)

I think the documentation is not clear on the functional aspect, and there is not really clear example on google... So my questions are:

• what account numbers should I use at these two place in the syntax?
• Do I need to create a SAML IDP in the ACCOUNT_B account?

Answer 1

in fact I think the SAML part confused me, there’s nothing to create in the other account (ACCOUNT_B), if that it would mean that you bypass the bounce account (ACCOUNT_A), and it loses its interest and its security purpose. But you have to use the SAML idp present on ACCOUNT_A to generate credentials that will then allow to switch from A to B, exactly as it works without delegation