No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi, I've got some trouble chaining providers with assumeRole and I guess Im doing something perfectly wrong, as the role chaining works in my shell.
When executing pulumi up I am in the starting role, then I create the first provider ("intermediate") and execute aws.getCallerIdentity() and I get the correct json
Then I use this provider to assume into the destination role inside a second account but ..

Intermediate Provider config:
```// Intermediate Provider
const providerIntermediate = new aws.Provider(
  "assume-role",
  {
    assumeRole: {
      roleArn: "arn:aws:iam::111111111111:role/intermediate",
      sessionName: "intermediate",
    },
    region: aws.config.requireRegion(),
});

// sts get-caller-identity for intermediate role provider
aws.getCallerIdentity({provider: providerIntermediate}).then(onfulfilled =&gt; console.log(onfulfilled),onrejected =&gt; console.log(onrejected))```

This one will end in an error:
```// Destination provider
const providerDestination = new aws.Provider("assume-dest-role", {
  assumeRole: {
    roleArn: "arn:aws:iam::222222222222:role/destination",
    sessionName: "destination",
  },
  region: aws.config.requireRegion(),
},
  { provider: providerIntermediate, dependsOn: providerIntermediate }
);

// This one failes ..
aws.getCallerIdentity({provider: providerDestination}).then(onfulfilled =&gt; console.log(onfulfilled),onrejected =&gt; console.log("rejected with: "+ onrejected))```


the console log output with the onrejected:
```    rejected with: Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
        * error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::222222222222:role/destination) cannot be assumed.
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors```


Any Ideas what I am missing?

For the completness my execution flow is:
my_execution_role -- assumes --&gt; intermediateRole -- assumes --&gt; Destination Role

I am particular puzzled by the "no valid providers in chain" message