Why AWS Explorer for VS2017 doesn't want "Session" profile types?

Question

Background:

In our organisation we have a bunch of AWS Accounts.

We use one of them to define all the IAM users, one for each developer. Then every team has a different AWS Account.

To work into an account, a developer has to impersonate a Role, called "Developer".

Also, we have the Mfa authentication required for every user.

To get the AWS Explorer work in Visual Studio 2015 then, we create, through Powershell, a Session ProfileType credential in the RegisteredAccounts.json file. This way we can tie the Mfa authentication and the role impersonation in one temporarily valid profile and store it locally.

That profile is then picked up by Visual Studio 2015 and then AWS Explorer works by impersonating the "Developer" role in any of our accounts.

Problem

This handy behavior seems to have disappeared with the VS 2017 version of the AWS Toolkit: any profile with "ProfileType" : "Session" stored in the RegisteredAccounts.json can't be used.

Now we can't use this workaround anymore.

Is this intentional? Is this a bug? Is there another way to make the AWS Toolkit for VS 2017 impersonate an AWS Role?

Answer 1

I am in a similar situation. However, I use awsume to assume roles.

It has an -o parameter for appending the assumed role's credentials out to %USERPROFILE%\.aws\credentials as an additional profile.

Since this profile doesn't require MFA, it is selectable by the AWS Toolkit for Visual Studio 2017 and 2019.

UPDATE: The AWS Toolkit for Visual Studio supports assumed roles with MFA now.