I'm seeing this error:

error: 1 error occurred:
        * error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::{account id}:role/debug) cannot be assumed.
    
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

~/.aws/config

contains the following (it's using aws2-wrap):

[default]
region = us-west-2
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}
credential_process = aws2-wrap --process --profile default

[profile chaueter-sandbox]
region = us-west-2
role_arn = arn:aws:iam::{account id}:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dbc09583d3a27737
source_profile = default
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}

Pulumi is able to authenticate with the

chaueter-sandbox

profile and CRUD resources. However, it cannot assume the role set by

assume_role

in an

aws.Provider

:

aws.Provider(
        resource_name="provider",
        assume_role=aws.ProviderAssumeRoleArgs(
            duration_seconds=2 * 60 * 60,
            role_arn="{the role arn}",
            session_name="session",
        ),
        max_retries=1,
        profile=os.environ["AWS_PROFILE"],
        region=pulumi.Config("aws").require("region"),
    )

I tried this condition for the

assume_role

policy:

test="StringEquals",
values=["<mailto:chaueter@valohealth.com|chaueter@valohealth.com>"],
variable="SAML:mail",

and got the same error message.